So, you recently introduced the mandatory 2ndary verification.
All of its requests originate from Amazon AWS Singapore and Netherlands.
Although we are US-based and only serve the US users, we created and enabled firewall rules to allow AWS from those 2 locations.
Immediately we found in the web server logs non-stop scrubbing, brute-forcing and other hacking attacks that originate from the same subnets as your secondary verification. When we further investigated, we found that 99% of them originate from random consumer ISPs in Russia and immediately follow up from AWS.
So, in sum, your requirement for the mandatory 2nd verification opens North-American web sites to hacking attacks from Russia. Are you happy now?
What will it take to stop you from exposing us to foreign cyber-criminals?
Six years ago:
You do not need to enable global access for a Let's Encrypt challenge to succeed. You can switch to DNS-based validation instead of HTTP, or allow-list only the .well-known/acme-challenge path globally. You have plenty of options available if you don't want to allow global access.
(Personally, I don't understand why people think geoblocking protects them. It's not like an attacker can't buy a VPS with a US IP to bypass your geoblock. Those "hackers" you're seeing are stupid, automated scanners that pose no real threat to any reasonably secured website. The real threats are all capable of bypassing your geoblock)