LetsEncrypt generation is broken in some valid configs.
The code that calls out to http://mirror1.freepbx.org/lechecker.php erroneously requires the outbound request IP match the externally resolved fqdn IP. If IPs don't match, certman refuses to generate a LetsEncrypt cert.
LetsEncrypt has no such requirement.
There are many valid scenarios where these IPs would not match. An example from the forum: https://community.freepbx.org/t/lets-encrypt-host-name-vs-wan-ip/68490 Googling shows a couple of other reports of the same behavior.
All works OK if the lechecker process is commented out of Certman.class.php.
Personal preference would be for the lechecker request to be removed completely, but if maintained an IP mismatch should not be considered fatal.