CNAMEs are fine. The error message shows an IP address (which I assume was the correct one at the time), so it’s not related to DNS. Let’s Encrypt simply was unable to connect to port 443 during verification. This could be for any number of reasons - maybe your ISP is blocking incoming connections on port 443 (possibly not all connections, but based on some heuristic - this is not uncommon for residential ISPs). It’s rather hard to make a more educated guess here, since the only thing this error is telling us is that the validation server didn’t reach yours. 