letsencrypt certificate not loading outside internal network

Question

I have a RasberryPi 4 running ubuntu/20.04.4 with nginx/1.18.0

Configured the ports forward (80,443) to the RPI4 and previously had it working with some godaddy certs and domain.

When the certs expired I tried to generate them with:

https://letsencrypt.org/getting-started/

https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal

First I did:

sudo certbot certonly --nginx

and just replace the old ones. But this gave me the same error as when I run:

sudo certbot --nginx

and let certbot configured nginx.

Inside the internal network the certs load fine and show as valid. I'm able to access web pages and java services fine.

When try to access it from public internet the certs doesn't seem to load and the page gets stuck loading.

The ping seems to work from outside:

$ ping MyCheapDomain.app
PING MyCheapDomain.app (IP.PUB.LI.C) 56(84) bytes of data.
64 bytes from 3.red-IP-PUB-LI-C.dynamicip.rima-tde.net (IP.PUB.LI.C): icmp_seq=1 ttl=56 time=30.5 ms
64 bytes from 3.red-IP-PUB-LI-C.dynamicip.rima-tde.net (IP.PUB.LI.C): icmp_seq=2 ttl=56 time=32.4 ms
64 bytes from 3.red-IP-PUB-LI-C.dynamicip.rima-tde.net (IP.PUB.LI.C): icmp_seq=3 ttl=56 time=31.5 ms
^C
--- MyCheapDomain.app ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 30.520/31.473/32.398/0.766 ms

Curl gets a timeout to 443 but works for 80

$ curl MyCheapDomain.app
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

$ curl https://MyCheapDomain.app/login
curl: (28) Failed to connect to MyCheapDomain.app port 443: Connection timed out

I also tried:

$ openssl s_client -connect MyCheapDomain.app:443 -msg
281473522260448:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
281473522260448:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110

I tried leaving just the nginx default welcome page and got the same results. Do I need to specify something to the certbot to generate public certs? Or I'm missing some configuration? Is this a limitation on the certs?

UPDATE

I followed advise in the comments and tried tcpdump to see if the RPI was receiving something in port 443:

$ sudo tcpdump port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:01.242056 IP INT.ERN.AL.IP.40142 > a23-37-165-67.deploy.static.akamaitechnologies.com.https: Flags [S], seq 124278182, win 64240, options [mss 1460,sackOK,TS val 149925512 ecr 0,nop,wscale 7], length 0

1 packet captured
29 packets received by filter
0 packets dropped by kernel

Then did a curl from outside:

~$ curl https://MyCheapDomain.app/
curl: (28) Failed to connect to MyCheapDomain.app port 443 after 75099 ms: Operation timed out

So even the curl timed out it seems to receive something.