If you can't use the DNS Challenge (see linkp post #3) could you disable the firewall just on port 80?
And, in the port 80 VirtualHost redirect all requests to HTTPS (you probably already do)
With no firewall blocking IP's to port 80 the HTTP Challenge should succeed. You are using the --apache plug-in so it should capture the Challenge URL for you without redirecting to https. If you were using --webroot then you'd have to add a location for the /.well-known/acme-challenge URL.
Any of the malicious IP's trying HTTP will get redirected to HTTPS and be blocked by your firewall.
There is another option which was mentioned briefly in earlier posts here, the DNS-01 challenge method.
(eu queria colocar o link para a página traduzida em português mas o site disse "esta página ainda não foi traduzida" )
The difficulty is that this is usually more complicated to automate, and it's not very pleasant to use Let's Encrypt services without setting up automated renewal. With this alternative method, you need a way to make changes to DNS records from software (usually with an API provided by your DNS host). I'm guessing that PRODERJ or other state agency that might provide your Internet hosting services most likely does not offer this.
Folks who should know better (or their automated scripts) are reporting these IPs because the http validation checks their acme challenge. AbuseDB et al should instead use a manual review process for ISRG ips and if they don't you should discontinue use of their database because you are very likely to DoS yourself.
Cool! Is there some way that I could give a presentation to your colleagues (including, ideally, from other states) about Let's Encrypt and how to support it better? Is there an event I could attend for that purpose or another way to communicate about that?