With the recent changes to add challenges from Sweden and Singapore, it has introduced problems for organizations that use geofencing/geoblocking to better secure their sites. I have two concerns about this.
I can't find anywhere in the Let's Encrypt documentation that tells/warns users that they should no longer use geofencing as this will likely cause the failure of renewals. I think you need to be honest and upfront now that this is so, so that anyone can evaluate if they choose to use Let's Encrypt because of this limitation.
I find it really odd that the purpose of Let's Encrypt is to make the web more secure, but in order to use Let's Encrypt certificates, you now have to stop using geofencing in your firewall. The whole purpose of geofencing is to make your organization more secure. I think there needs to be a better solution.
"no longer" implies that geoblocking was ever supported, suggested, or allowed. It has always been explicitly discouraged and unsupported. Many subscribers had issues prior to the new vantage points being deployed, because they did not expect their geoblocking would obviously impact any sort of domain validation.
Multi-perspective validation was designed to defend against security concerns that you unfortunately do not understand or fully comprehend. This topic has been discussed extensively and exhaustively on this forum. Here is a primer from the docs, and I suggest you search the forum for more information as there have been many nearly-identical posts here in the past - one of which in the past few weeks.
Also keep in mind that other publicly trusted CAs will also be forced to implement some form of multi-perspective validation in the future when the CA/Browser Forum ballot SC-067 becomes effective.
(Although that doesn't mean all CAs implement the same geographical distances as e.g. Let's Encrypt currently does.)
Only in the sense of being able to tell that the server someone is connecting to is actually run by the controller of the domain name being connected to. Which in order to validate, they need to be sure that the name is actually controlled the same as seen by everywhere on the Internet. (This isn't just a theoretical attack, either; look through the "Additional Resources" links on that CAB issue which will encourage all CAs to continue checking many places from around the globe.)
Not at all. You just need to not block the /.well-known/acme-challenge requests on port 80. You're free to do geoblocking all you want on port 443, or for other URL patterns.
There's nothing new going on really, Let's Encrypt has always said that you should keep port 80 open. If all it's doing is handling ACME challenges, and serving redirects to https for those clients that try unencrypted http by default, then there really isn't much of an attack surface that geoblocking would help with.
Or, if you're comfortable with your DNS server being exposed to the world but don't want your web server exposed at all (for some sort of internal application), then use the DNS-01 challenge instead.