You need to resolve the 522 timeout issue between Cloudflare and your Hestia CP server. Make sure you don’t have any AAAA records in the Cloudflare DNS app for your Hestia CP server. The synthetic ones that Cloudflare publishes are fine. Just don’t have any in your dashboard because Hestia does not currently support IPv6.
When using Cloudflare and Let’s Encrypt, it is best to adjust your Cloudflare configuration to work well the HTTP-01 validation.
You don’t an add an exception in Hestia. You use the Page Rule that I shared in your Cloudflare settings. It prevents Cloudflare from disrupting the Let’s Encrypt renewal on your Hestia CP server.