It has always been the case that Let's Encrypt's validation IPs can change at any time and that you cannot block any IPs.
That CBL used to sometimes falsely block Let's Encrypt's traditional IPs as well. See most recently:
Maybe they added those IPs to some kind of exception list but not the new ones. 
You should stop blocking things, stop using that blocklist, add some kind of exception for the validation requests (e.g. the /.well-known/acme-challenge/ path for HTTP-01 validation), or use DNS-01 validation (assuming your DNS servers don't use these blocklists too).