Cannot get certificate through cloudflare proxy

Hello. as you may or may not be aware the entirety of Iran's internet access is suffering through a (near) complete outage. currently I am connected through an implementation of a VLESS proxy through cloudflare workers (which is the only option I currently have at my disposal).
I believe this proxy meddles with let's encrypts usability.
currently trying to use curl to connect to the available acme api (both production and staging) results in this error:

$ curl https://acme-v02.api.letsencrypt.org/directory -v --socks5 127.0.0.1:1080
*   Trying 127.0.0.1:1080...
* Host acme-v02.api.letsencrypt.org:443 was resolved.
* IPv6: 2606:4700:60:0:f53d:5624:85c7:3a2c
* IPv4: 172.65.32.248
* Opened SOCKS connection from 127.0.0.1 port 43744 to acme-v02.api.letsencrypt.org port 443 (via 127.0.0.1 port 1080)
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   OpenSSL default paths (fallback)
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure
* closing connection #0
curl: (35) TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure

Opening the API (again both staging and production) page through firefox results in a SSL_ERROR_NO_CYPHER_OVERLAP error.

(I don't think most of the requested information is relevant to my issue)

the lego acme client produces this output after being ran:

2026/01/21 18:59:31 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": GET https://acme-v02.api.letsencrypt.org/directory giving up after 6 attempt(s): Get "https://acme-v02.api.letsencrypt.org/directory": remote error: tls: handshake failure

The version of my client is: lego version 4.31.0 linux/amd64

Is there anything that can be done to actually get a usable certificate in my conditions or should I just wait until I have more stable internet?

Are you able to connect to other endpoints via VLESS? Such as either of these?

These are Google Trust Services and ZeroSSL CA ACME endpoints

https://dv.acme-v02.api.pki.goog/directory
https://acme.zerossl.com/v2/DV90

both of those resolve and respond. I can't use zerossl due to their "restricted countries" policy. I wasn't aware of google's acme implementation at all but google's developer centered services don't tend to play nice with Iranian customers. I will give it a try either ways though.

I have never used this CA but ran across it the other day (by accident).

I don't know that lego even supports it. Even though it is ACME there may be quirks

This is a wiki from a different ACME Client but I think lego is much better in general. I post this for the info about the CA

https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA

I am a little surprised Let's Encrypt's endpoint doesn't work if these other do. Although, we have seen that on occasion (most notably Russia a while back but not currently). Have you tried forcing TLS 1.2 instead of 1.3? Was LE working before the recent network outage.

forcing curl to be on tlsv1.2 results in the same error:

*   Trying 127.0.0.1:1080...
* Host acme-v02.api.letsencrypt.org:443 was resolved.
* IPv6: 2606:4700:60:0:f53d:5624:85c7:3a2c
* IPv4: 172.65.32.248
* Opened SOCKS connection from 127.0.0.1 port 40838 to acme-v02.api.letsencrypt.org port 443 (via 127.0.0.1 port 1080)
* ALPN: curl offers h2,http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   OpenSSL default paths (fallback)
* TLSv1.2 (IN), TLS alert, handshake failure (552):
* TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure
* closing connection #0
curl: (35) TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure

I did actually get a cert before the outage but again I emphasize this isn't my usual network setup. this request is made through a cloudflare worker vless proxy setup I believe this is affecting how the endpoint responds (or rather doesn't at all)

I wasn't certain you meant that this was first attempt for Let's Encrypt using this setup.

I don't have any suggestions about getting that to work with LE. Perhaps some other volunteer will. Or, perhaps ask on a VLESS forum for suggestions. See if someone there can use VLESS to access LE from a different country, for example. That could rule out some technical issue in VLESS for LE.

Is it possible the outage is blocking requests to LE even through that proxy? Such as by blocking the target IP addresses?

I very much doubt that would be possible with my current setup. every other website is accessible through my proxy and I don't see why LE would be an exception.
unless maybe there are is an actual issue with cloudflare not allowing connections to LE through workers which would be odd. maybe I should contact them instead?

Maybe.

In theory building a proxy to LE API is fine. I've pretty much reached the limit of what I can offer.

thank you for your help either ways

Sorry, may not have followed that clue far enough.

The LE API only offers an ECDSA certificate. When I checked Google Trust earlier I also saw an ECDSA cert. So, I treated that message as a quirk of your Firefox install.

But, I just realized Google Trust API offers both an ECDSA and RSA cert. ZeroSSL only an RSA cert.

So, check that the cipher suites you are connecting with includes ones needed for ECDSA.