You will always have four IPs when proxying through Cloudflare: two IPv4, and two IPv6. That is expected.
I’m not really sure why you are sharing a Let’s Debug test, as that’s for troubleshooting Let’s Encrypt certificate issuance, and has nothing to do with Cloudflare. Additionally you shared an HTTP-01 test, and your mention of Nginx editing your Cloudflare DNS with a token suggested, to me that you are using DNS-01 validation. Either way, the Let’s Encrypt Community is the place to work out Let’s Encrypt problems.
I am operating on the the information you provided that suggested you have your origin certificates in order. Your 521 error indicates that traffic sent from the Cloudflare proxy to your origin is not being handled correctly at the origin. The forwarded requests are not receiving a response from your origin. This is why I suggest that you monitor the traffic at each point under your control, working your way from the side closest to Cloudflare until you reach the web server.
You can easily generate requests with curl and use a unique string to make it easier to filter. Without knowing where the connection is disrupted, it’s next to impossible to know what needs to be fixed.