Are you blocking requests from non-USA requesters?
Because Let's Encrypt can reach you from its Primary location in the USA but not from one or more of its Secondary centers outside the USA.
The geography block would be at your Origin server, not the Cloudflare settings, to behave as your describe.
As background if this is the case: