In the .kamal/secrets, you could try to copy/paste the command that you're using to set the POSTGRES_PASSWORD to make sure that it's returning the expected value.
I am not sure. What is the use case here instead of using a Let's Encrypt certificate?
It does look like custom certificates are supported (https://github.com/basecamp/kamal/pull/969) but I do not know if validation is done or not on these, so it would need to be tested.