You cannot. LE does not publish such a list. Each center has a pool of IP and even those pools change regularly. See this FAQ answer: FAQ - Let's Encrypt
Maybe, or at least more than one. As I just noted the source IP change.
Can you check your Apache access logs and see the successful requests for each domain? Perhaps a pattern will emerge.
That is not an IP for any of the authorization centers. (you would connect to that outbound, the auth centers are inbound to you)
The advice from Let's Encrypt is that if you cannot keep HTTP open to the entire internet you should use the DNS Challenge.
This is a terrific article on the overall strategy. Perhaps start with this section: Multi-Perspective Validation & Geoblocking FAQ