@hairydog, thanks for providing the info privately, that was invaluable!
A fair bit of diagnostics later, I’m fairly confident the issue is the connection being used, specifically Three 4G Mobile broadband - I’m able to replicate the same issue on a VM on the end of a Three connection, but only very intermittently, and only on that connection, not a separate DSL connection, or another mobile network.
It seems to be something that the network is doing with outgoing traffic, which is breaking some (but apparently not all) connections, which matches what I’ve personally experienced a few times in the last few months with Three.
I suspect it’s something related to their content filtering, so would probably suggest trying a VPN or another network to see if that helps.
Just for confirmation, here’s the output of
sympl-ssl being run on freshly imaged Pi on the Mythic Beasts hostedpi.com domain:
root@sympl:~# sympl-ssl --verbose
Applying IPv6 only workaround...
* Examining certificates for sympl.hostedpi.com
Current SSL set 0: self-signed for /CN=sympl.hostedpi.com, expires 2021-07-30 11:22:05 UTC
The current set is no longer valid for this domain.
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
Requesting verification for sympl.hostedpi.com from https://acme-v02.api.letsencrypt.org/directory
Successfully verified sympl.hostedpi.com
Requesting verification for www.sympl.hostedpi.com from https://acme-v02.api.letsencrypt.org/directory
Successfully verified www.sympl.hostedpi.com
Successfully fetched new certificate and created set 1
Rolled over to SSL set 1
Removed IPv6 only workaround