I'm not sure about let's encrypt at very least, but keepalived cidr worth to be /32 indeed, otherwise things might get weird in some other aspects as well (like src IP of haproxy_hosts becoming vip, while they're not whitelisted for some services).
Also there should not be any issue with having internal vip as FQDN.
I will try to reproduce that on Monday with some proper FQDN and let's encrypt.
I'm not sure about let's encrypt at very least, but keepalived cidr worth to be /32 indeed, otherwise things might get weird in some other aspects as well (like src IP of haproxy_hosts becoming vip, while they're not whitelisted for some services).
Also there should not be any issue with having internal vip as FQDN.
I will try to reproduce that on Monday with some proper FQDN and let's encrypt.