There was a recent change adding remote validation centers
If you are not willing or able to open port 80 for the HTTP Challenge you could use the DNS Challenge instead. Unless of course you run your own DNS Servers and block access by geography but that is unusual.