; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for redacted.com.)
Your DNSSEC Configuration is broken.
It looks like you had DNSSEC Set up at your old DNS Host. Not all DNS Resolvers validate DNSSEC, some ISP-operated Resolvers don’t, but most Public ones and Certificate Providers do, which will prevent them from resolving your site/issuing a certificate.
You’ll want to either outright disable DNSSEC, or enable DNSSEC with Cloudflare and update your DNSSEC configuration with the information Cloudflare gives you:
These changes to your DNSSEC Configuration can be done at your Registrar, Sav.com.
After you make these changes to fix your DNSSEC Configuriation, the certificate issuance should retry after a bit and succeed. You can use the dnsviz.net site and click “Update Now” to confirm you fixed the issue, no “BOGUS” status/notices should appear.