Oh, another thing that I just noticed is that you have the port 443 redirection in place, which is a likely explanation for a failure here. There was a change last month which no longer allows port 443 to be used for validation for new issuances:
If this image was developed prior to that change and hasn't updated its software and/or documentation, that would be a very likely reason for the validation failures!