It looks like fail2ban (or maybe another firewall) is still affecting requests. I can see your site fine from my US server but the Let's Encrypt Server(s) still fail to connect with "connection refused".
Let's Encrypt verifies from multiple locations and these IP addresses change regularly. It would be best if you could allow requests from any IP with a URI that contains /.well-known/acme-challenge