I don't think we can do much more without wireshark curl vs openssl s_client
That's worse than:
But ^^ implies some access had already taken place.
Yes. We send issue request via VPN network and then LE connects to website address to validate the request. The website address that has been used for validation and validation date are marked yelllow.
So...
You could proxy the request to LE.
OR
Use the backup path I've created, with:
--server https://le-acme-v02.beer4.work/directory
Note: That will "look" like a new server to the certbot client.
So, it will [re]register a new account.
let's try set some other client that doesn't use curl:
Installation & Upgrades | Certify The Web Docs or lego
We use Plesk LE plugin which does not have the option to change LE API URL.
So probably our only option now is to continue using VPN to proxy requests.
It's surprising that here is enough time to discuss workarounds and some connection details, but completely no way to simply check the list and say, "no your IP isn't there". If IP is not listed - ok, we got it and we are not going to ask to solve our problem.
Anyway. Thanks.
There is a way to do that.
And I've already asked for someone to do that.
The problem is there is no SLA for such questions - and none for everything posted in this forum.
The response could be in 3 minutes OR in 3 days.
But that answer will be: That IP is NOT blocked.
But that answer will definitely calm me down 
I'll be waiting. Thank you very much!
Most LE staff is on West Coast US time zone.
So, someone should be getting to it soon - unless more important things are ahead in queue.
188.42.141.10 is not blocked
Which TLS protocol levels and ciphers suites are enabled in Windows? You can use IIS Crypto to check the current settings.
Thanks, those settings look good (in that they are broadly compatible, there's a bunch of stuff that can be deselected to make things a little more secure but that's off-topic).
At this point I would probably just try a different CA instead of Let's Encrypt. How you do that depends on the ACME client software you decide to use.
saw that there is mention of TLS 1.3 which is not supported by windows server 2012r2
The output of openssl s_client -connect acme-v02.api.letsencrypt.org:443:
Summary
PS C:\Users\Administrator> openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000144)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFwTCCBKmgAwIBAgISBL0O5aihxXNrbX13IlWkF9ZNMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEwMjcyMDU1NDNaFw0yNDAxMjUyMDU1NDJaMCcxJTAjBgNVBAMT
HGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC1VRyVC3LxZ9mA0vMTXAYlJn3mAN0TxDpBtocYnFB9BmcM
R9CMT1QeblB7ghgZA3JJ4eDJqKElcSH/D/70iKIfA3Ah44rsy3TFVk9l64Jb0mZk
AKMXmVbaFZbMeYGrpzdzhxyuKTSp0ThzWF9zlahL0sggpjIF1m4WuEGo4j52OUR0
ARoz3deosMQE5Tip2SS+ZSK7fdCuZASsxnxpSN2vxE8efc7eY5JEfha+b4RSjv57
xoSbFmZ2O9n3QkbmLK7yLgs2SNZla6D/t7i8nvZburEPb9iBmYbm2ugSQAN6EA2N
U46HY6LNNBfGmXKCS3zOSZR/NPZL0uK10my4CRFjAgMBAAGjggLaMIIC1jAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFF3iB7sAGspKefF84ezdWqWZVpt+MB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIHjBgNVHREEgdswgdiCHmFjbWUtdjAyLTEuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5h
Y21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jnghxh
Y21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnghhpbmNpZGVudC5sZXRzZW5jcnlw
dC5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0BIHx
AO8AdQDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYtzItD6AAAE
AwBGMEQCIFnM6ueZn/9JX49xjkVwsT9hYgTLcjUDiVGM1L9A3CWkAiAlKJyZB9CC
VLNmuUgW360ZBerKdWAyBl6R0OIlPkyuJwB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8
vOzew1FIWUZxH7WbAAABi3Mi0ZsAAAQDAEcwRQIhALTe9m/dt3WkeDbI/bQNn//C
R91VRHhI4/LUYWsS6h3IAiACknqkZsBYFApN1eQxDoydzPauMSIRsFDXDLDX+aSv
XjANBgkqhkiG9w0BAQsFAAOCAQEAukbZq/hpWstCLzwYcHX7lm6VZcOMWzJzGZZJ
PCBvrBYftf9t6rv0PuoyuVXMOAroSyHMuy39UMJQ21w8/pf4t2q95OIkJIKbcPBM
KuqdJ9HD0078Ncdq+PwxKil7h/LrZksPOHVuvcKBxziLVdAARIY4RUyruveB1JsH
2gwviBL+1EStmiVe1eyGVy5nWywODCiaRQqoN6e4GI4MqZaUnIIwDaEutjAVCpjC
c59r0ja+iQA8qnBDaMj+NiEhmm9C4PI3NKS8KMEjdSqdT+1GRhrWCEseGf0ddbHN
6dId0egXmAhNeUzrnFey9QnSUld2hGhNBpQVnWwiNh5q+6Bw4Q==
-----END CERTIFICATE-----
subject=CN = acme-v02.api.letsencrypt.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3348 bytes and written 410 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: DB8FDE5C2CBE7E26551B9DB278BC537D38445FF028CDBE7DFF6AACE818967063
Session-ID-ctx:
Resumption PSK: 11A4005C0A17F5F8F5A534857860BAD51A1DDC6079FF665EC51F41E73AFDB226F29BEF14D86883F8A02E443F7017C039
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 80 80 97 b2 c5 f1 7d 1c-51 c5 ad 51 f4 b5 21 c1 ......}.Q..Q..!.
0010 - be 0e 85 e2 f3 7a f6 63-0e b5 36 b7 f1 d2 94 fe .....z.c..6.....
Start Time: 1699257499
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4F9E8FF64315AB8BD2AE69756C6800DA4D44C35D4963D4A9C42217783EC0AD92
Session-ID-ctx:
Resumption PSK: A97C1F00D8B3726E70A56EBE2DE5A30155723398F46BFEB826928019E78B28CC55BE95D8F5876B346343A562B9C1DDDC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - bb 8e f9 26 67 cf dc ce-c9 a9 fe ed 49 89 27 34 ...&g.......I.'4
0010 - 95 39 a1 95 98 fa ef 98-c9 c5 d2 6e 82 f2 03 58 .9.........n...X
Start Time: 1699257499
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
Verify return code: 20 (unable to get local issuer certificate)
hmmm
red hearing, that's just windows thing