Ok folks, sorry for the distraction.
For the record the issue was a mismatched openssl.cnf file. It was configured for using the Padlock encryption engine, which my openssl didn't have support compiled into it for. Moving to more generic .cnf file fixed things up.
For future noob running LogLevel md:trace3 revealed
Invalid argument: error loading pkey /opt/aa/md/challenges/xxxxxxxx/acme-tls-alpn-01-privkey.pem: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt (pass phrase was not null)
which led me into looking at openssl.
Thanks for everyone's help.