Two more things to check:
- Does it work if you put a file without any extension in there as well? The files created by certbot don’t have an extension, maybe your configuration is sensitive to that.
- You might want to try requesting the file while connected to some third-party VPN or Tor to simulate an external request, in case you’re currently doing this from the same network your server is in, or from some otherwise “special” network (that’s not treated like a random IP from the internet, like Let’s Encrypt’s validation server).