That is too limited for Let's Encrypt HTTP Challenges now (*1). There was a change in April to add additional non-USA validation centers and at least one of these must succeed along with the others.
Peter's "Multi-Perspective ..." link in post #2 has the whats and whys.
This part of that thread talks about the recent change
*1) It would also be too limited for authoritive DNS servers behind such a firewall and using the DNS Challenge. It just is not as typical to see DNS Servers firewalled like that but we do see it sometimes.