This doesn’t seem related to the recent DNS incident since your domain doesn’t use Vercel nameservers.
Your existing _acme-challenge records might be interfering with cert generation.
If you have the SSL/TLS encryption mode set to “Full” and not “Full (Strict)”, that’s a good start. But keep in mind that using reverse proxies in front of Vercel is not recommended.