You need to resolve the 522 timeout issue between Cloudflare and your Hestia CP server. Make sure you don’t have any AAAA records in the Cloudflare DNS app for your Hestia CP server. The synthetic ones that Cloudflare publishes are fine. Just don’t have any in your dashboard because Hestia does not currently support IPv6.
When using Cloudflare and Let’s Encrypt, it is best to adjust your Cloudflare configuration to work well the HTTP-01 validation.