@sandro let me try to explain what @sborja.net is trying to say:
Cloudways offer Managed Cloud Hosting on popular providers like Amazon, Digital Ocean , Google etc By default the server’s don’t come with IPv6, if anyone has a server directly from one of the providers then they can purchase an IPv6 at an extra cost but on Cloudways (the server bought via them) this option is not available.
They offer Free SSL via Let’s Encrypt Service, Let’s Encrypt Services require that to get SSL the domain should be pointed to the Server IP as the process verify whether the request is authentic or not for the domain to issue the SSL as it’s not like that I can just issue SSL for any domain like facebook(dot)com because I initiated a request so that’s where the authentication process comes in, it’s called acme_challenge.
Since by default the servers don’t have IPv6 there is no need to set AAAA records in your DNS settings so if we don’t have Cloudflare enabled and we don’t set AAAA the request is authenticated and the SSL is issued. as the request is sent at A (IPv4) only while there are no records for AAAA(IPv6) the request isn’t sent for authentication.
But if we add Cloudflare on our domain then Cloudflare adds IPv6 although we don’t have any AAAA (IPv6) instead of showing a red checkbox here https://www.whatsmydns.net/ it starts to show AAAA records, so once Cloudflare is enabled and someone try to issue the SSL the authentication request sent on A (IPv4) records is verified while the AAAA (IPv6) never reaches the server and hence the SSL authentication is failed with an error msg like "AuthorizationError: Some challenges have failed."
This issue might not just be related to Cloudways but all other users as well who are directly hosting the site on any of the providers or any provider with having servers only IPv4 enabled.
The similar case has been discussed here as well https://community.Cloudflare.com/t/ssl-at-weebly-not-working-due-to-hidden-aaaa-record-here/24136 the solution was to disable IPv6 via API but that should not be the case a simple option should be available in Cloudflare Dashboard to disable IPv6 as not every user is technical and shouldn’t have to deal with this.
So what Cloudflare needs to do in my opinion is that they should not simply enable AAAA records if the records are not present in the domain DNS settings or provide an option to its users to disable IPv6.
I hope that makes things more clear.