So, we see the error here:
"DNS problem: query timed out looking up CAA for webext.segplan.go.gov.br"
The DNS resolution chain eventually hits these nameservers;
lb.go.gov.br. 1800 IN NS lb-oi.go.gov.br.
lb.go.gov.br. 1800 IN NS lb-oi2.go.gov.br.
lb.go.gov.br. 1800 IN NS lb-ctbc.go.gov.br.
However they seem to not respond to any types of queries except A queries. Let's Encrypt needs to be able to issue a CAA query and get a successful response (even if empty).
Take note of the following from Let's Encrypt's page on CAA:
CAA validation follows CNAMEs, like all other DNS requests. If www.community.example.com is a CNAME to web1.example.net, the CA will first request CAA records for www.community.example.com, then seeing that there is a CNAME for that domain name instead of CAA records, will request CAA records for web1.example.net instead. Note that if a domain name has a CNAME record, it is not allowed to have any other records according to the DNS standards.
It is not possible to get an answer to a CAA query from the nameservers authoritative for sfb.lb.go.gov.br, which is the CNAME target of webext.segplan.go.gov.br:
https://unboundtest.com/m/CAA/sfb.lb.go.gov.br/AV6GRN7T
or you can try:
dig +trace sfb.lb.go.gov.br. caa