I have a similar want. Right now we have bitbucket calling the single public IP address on port 80 to activate web hooks that trigger CI builds.. Traffic to port 80 from bitbuckets provided network ranges is routed to the CI server.
From their documentation:
If you want your server to check that the payloads it receives are from Bitbucket, whitelist these IP ranges:
131.103.20.160/27
165.254.145.0/26
104.192.143.0/24
Any other IP on port 80 does nothing.
Even if there was one or multiple network ranges provided - it would allow adding a rule that redirects just the letsencrypt traffic as desired.