tldr; Migrating setup over to Rpi for long-term/24-7 use. Letsencrypt reporting connection errors to the acme api, but all my (limited) manual tests, seem to show that there are no communication problems.
My domain is: http://www.scruffies.co.uk
My web server is (include version): docker lsioarmhf/letsencrypt:latest
The operating system my web server runs on is (include version):Rpi3 B Stretch:Lite
Challenge:
As a proof of concept/trial ((for my own sanity not the toolsets! 
) I have been successfully running a number of docker packages on unRAID, reverse-proxied via the lsio/letsencrypt container package or Ngnix & Letsencrypt etc.
I am now attempting to migrate a number of these services over to a Raspberry Pi 3B for 24/7 operation in my home setup.
Whilst the Letsencrypt container on unRAID ((they are all now in a 'stopped' state)) successfully generated certificates and attempted renewals for a number of subdomains, I am encountering connection issues with what I'd thought was a replica of the install on my Rpi 3.
Error Message:
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7529ea10>: Failed to establish a new connection: [Errno -3] Try again',))
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
Current Configuration:
Thus far I have a standard debian:Stretch-Lite image installed, along with 3 containers; 'Portainer', 'Pi-Hole' and 'Letsencrypt'.
Using docker-compose I am:
- Only requesting subdomain certs
- Certs for a single subdomain pihole (pihole.scruffies.co.uk)
- Validating requests via DNS
- Using Cloudflare plugin and providing the corresponding login/api keys entered into dns-conf/cloudflare.ini file
Default ports of 80:80 and 443:443 assigned to the container
Created new port-forwarding profiles (TCP&UDP) in my router for HTTP 80/ HTTPS 443 mappings to the Rpi 3's fixed ip address
Disabled the existing 80/443 rules to my unRAID test machine
Confirmed that my external ip is successfully updating/resolving against the name(s) being requested.
Investigations:
Following the error message it looks like the request is being bounced/lost somewhere along the way (my skills are good enough to determine where 
) but a search of similar threads seemed to suggest that perhaps a firewall or some other system was blocking the outbound connection?
So as per a similar thread I tested a few sample requests from my Rpi 3 CLI
Python 2.7.13 (default, Nov 24 2017, 17:33:09)
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import requests
requests.get("https://www.google.com/")
<Response [200]>
requests.get("https://acme-staging.api.letsencrypt.org/directory")
<Response [200]>
requests.get("https://acme-v02.api.letsencrypt.org/")
<Response [200]>
This appears to show that the Rpi can actually connect out to the acme api? so now I am well and truly stumped! :
