At least this test agrees with what I (we) have been seeing which is a timeout connecting to your domain using HTTP.
Are you able to connect to any URL using HTTP from outside your own network?
If so, what URL?
You can even use a mobile phone with wifi off to use your carrier network if needed.
I see many ports "open" from an nmap test. But the connections all fail. Example
nmap fs.mocse.org -p53,80,443,3389
Nmap scan report for fs.mocse.org (12.152.73.178)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
3389/tcp open ms-wbt-server
I have a remedial question. If the server is named something else, but I have internal and external A records set. The name of the server is different than the sub domain name: fs.mocse.org. Do I need a cname set externally? I can access only internally fs.mocse.org on port 80 and 443, but not externally.
A DNS A record (or AAAA for IPv6) provides the IP address to use for a connection. It is just a convenient translation so people can use names but the IP address is what is used to connect.
A CNAME just points to a different place where the A record is (and/or AAAA). It is just a convenience so the actual IP is only in one place. Some like it to simplify admin.
For a residential setup, the public IP address points to the public IP of your router. The router would have NAT (port forwarding) to direct requests to different devices. For example, it might direct HTTP (port 80) requests to one local IP. And, it might direct requests to a different port to a different local IP (for mail, specialty video sharing or whatnot). In your case you'd set the NAT for ports 80 and 443 to your local IP for IIS Server.
Your local network is not yet configured to allow requests from the public internet. That's beyond the usual scope of what is handled here even though we often give advice about that anyway. We'd need to know more about your setup though. You haven't given enough details to say anything specific.
The app is managing to server the http challenge locally and it can see it OK, but the attempt to check it remotely failed:
The proxyAPI: True part indicates that it is trying to see if your site is publicly accessible by checking it through api.certifytheweb.com
For HTTP validation to work your server needs to allow TCP port 80 traffic externally through to your server.
Check you have enabled http ( or TCP port 80 incoming traffic) on both the windows firewall and in your virtual machine networking control panel (if cloud hosted). If you are self hosting you have to forward port 80 TCP requests through to your server, also on port 80.
As an alternative, since you are using Cloudflare for your DNS you could instead use DNS validation: Cloudflare DNS | Certify The Web Docs if you would like to try that the general process is:
Once you setup an API token in Cloudflare you can switch to DNS validation under Authorization > Challenge Type (DNS)
Set DNS Update Method to Cloudflare
Select a stored credential or New to add a new one.
Select the DNS zone Id by by selecting ... and choosing your zone.
Save the managed certificate changes and click Test to check your DNS credentials are OK, then Request Certificate.
Sure, they could probably get a cert that way but they still wouldn't be able to reach their domain from the public internet because of the access problem.