Hi @ksmacd,
This has often been discussed before and is contrary to Let's Encrypt policy (that is, Let's Encrypt is not willing to cooperate with attempt to whitelist particular validation IP addresses, although doing so might work temporarily).
If you don't want to allow incoming connections to your service from the general public, you should use the DNS-01 validation method instead of HTTP-01 or TLS-SNI-01.