Well, it looks like your system is sometimes returning a 403 (Forbidden) response to Let's Encrypt's checks. Or really in general. I tried an online tool that tries to connect from many places around the world, and from some places it worked and from some places it didn't.
So I'm guessing that you have some sort of firewall which is intentionally blocking things that it thinks is an "attack" (or at least unexpected), which is including Let's Encrypt's attempts to validate that you have control over the domain name. Let's Encrypt needs to check from multiple places around the world, to make sure that you actually control the name as seen from everywhere in the world. This FAQ might help with explaining why:
So you need to figure out what is (sometimes) returning that 403, and configure it to allow traffic that you want, such as the validation attempts from Let's Encrypt.