Do you have a Palo Alto brand router / firewall? These products recently added a block of Let's Encrypt cert validations. The symptom is these "reset by peer" errors when trying the acme challenge URL. If so, see this description
Trying your server. See the differences?
curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/ChallengeToken
curl: (56) Recv failure: Connection reset by peer
curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/
curl: (56) Recv failure: Connection reset by peer
curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 25 Apr 2022 03:42:01 GMT
Content-Type: text/html
Content-Length: 162
Location: http://ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/
Connection: keep-alive
Keep-Alive: timeout=20