Let's Encrypt uses multi-perspective domain validation from around the globe, so an exemption for just the USA (the origin of Let's Encrypt) won't be enough.
It would be a better idea to globally allow requests for the path /.well-known/acme-challenge/ which should not be a security risk (nothing should be present at that location except for validation tokens). Alternatively you might be able to use the dns-01 challenge, if your DNS servers aren't affected by these strict rules from your hosting provider.