The basic NAT behaviour of a routeur is to redirect a port from a public IP address always to the same local IP. If you have two public IP addresses, you can redirect one to each Freedombox and it should work.
If you have a single public IP address (like most people, including me), domain1.fbx.one and domain2.fbx.one are translated to that same IP address and your routeur then redirects all traffic to ports 80 and 443 to any of these two host names to the same Freedombox and it is not surprising that you can get a Let’s Encrypt certificate only on one of them, the one the NAT rules of your routeur. Also, you can only connect to plinth on one of them.
If you want both Freedomboxes to get Let’s Encrypyt certificates and to access plinth with their respective host names that are resolved to the same public IP address, you need to run something on the machine that gets this to redirect http traffic based on destination hostname.
I don’t know whether libreCMC includes that kind of option, this would be nice.
Personally, I am running sniproxy exactly to do that (actually, I only have one freedombox but I have another machine running an http server, hence why I use this). I am not running it on my pioneer that runs freedombox but it is a machine running debian and sniproxy is a small programme so I suppose it would be possible to run it on one of your freedomboxes.
The configuration is in the /etc/sniproxy.conf, it needs something like (assuming sniproxy is running on domain1.fbx.one, and the local IP addresses of freedombox1/2 are 192.168.1.11/12):
# Username for the daemon
user sniproxy-daemon
# PID file
pidfile /var/run/sniproxy.pid
error_log {
# Log to the daemon syslog facility
syslog daemon
# Alternatively we could log to file
#filename /var/log/sniproxy/sniproxy.log
# Control the verbosity of the log
priority notice
}
access_log {
filename /var/log/sniproxy/access.log
}
# blocks are delimited with {...}
listen 0.0.0.0:8888 {
proto http
table http_hosts
# Fallback backend server to use if we can not parse the client request
fallback 192.168.1.11:80
access_log {
filename /var/log/sniproxy/http_access.log
priority notice
}
}
listen 0.0.0.0:8889 {
proto tls
table https_hosts
fallback 192.168.1.11:443
access_log {
filename /var/log/sniproxy/https_access.log
priority notice
}
}
# named tables are defined with the table directive
table http_hosts {
domain1.fbx.one 192.168.1.11:80
domain2.fbx.one 192.168.1.12:80
}
table https_hosts {
domain1.fbx.one 192.168.1.11:443
domain2.fbx.one 192.168.1.12:443
}
Then I made this as a service with a sniproxy.service like this:
[Unit] Description=HTTPS SNI Proxy After=network.target Documentation=man:sniproxy(8) file:///usr/share/doc/sniproxy/ [Service] EnvironmentFile=-/etc/default/sniproxy Type=simple ExecStart=/usr/sbin/sniproxy -f Restart=always [Install] WantedBy=multi-user.target
I also have a libreCMC routeur from ThinkPenguin, so if you find out that libreCMC can run sniproxy I am interested to hear about it 
EDIT: What I mentioned will work for http but you still can’t access ejabberd on both Freedomboxes with their respective names. For that, you would really need another public IP address. In France where I live there is a non-commercial ISP that provides a VPN service that comes with a fixed public IP and unfiltered access, so perfect for another freedombox.