We have seen this before with TSOHost (and other GoDaddy services)
They have some sort of security protection which affects the first request from a new requester IP. It does not affect browsers because they follow the faulty "loop" request once and show the resulting page. But, Let's Encrypt detects the faulty redirect right away and stops with that error.
Maybe show TSOHost the below sequence and see if they can disable the setting for your domains
# First request from my own test server
# Note the redirect to / which is back to itself (a loop)
# Also note there is no "Server:" response header value
curl -I http://oneplanet.international
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /
# If I immediately follow that redirect I get redirected by Apache
curl -I http://oneplanet.international/
HTTP/1.1 301 Moved Permanently
Date: Wed, 12 Jun 2024 15:00:01 GMT
Server: Apache
Location: https://www.oneplanet.international/
Content-Type: text/html; charset=iso-8859-1
If I wait only a short time and try the first curl request again I do NOT get redirected to the / location. But, if I wait several minutes I again get that odd redirect. I am guessing the security system only remembers a requester IP for a short time and then goes through the initial check again.
# Just 1m30s later the original curl does not redirect to /
curl -I http://kayarchy.com
HTTP/1.1 301 Moved Permanently
Date: Wed, 12 Jun 2024 15:01:33 GMT
Server: Apache
Location: https://www.kayarchy.com/
Content-Type: text/html; charset=iso-8859-1
# But, 8min later it does (still my same test server)
date
Wed Jun 12 15:08:16 UTC 2024
curl -I http://kayarchy.com
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /
We have seen this and similar a number of times. Below is just one example that is just like yours (was the easiest for me to find)