Hi @mushu
following on from here: Migrating webserver off ISP to own boxes (IIS 8.5)
But I have full control over the new boxes and can enable port 80/443 on them to the public--but of course DNS is still pointing to our ISP-hosted site.
Neither lets-win-encrypt simple or le64.exe will work if you have a delay between writing files (from the client) and them being available on your web server (the FTPS delay you are describing)
The best option from here is to use zerossl which gives you more granular control over the process
As always there is an article here to help you out 
Let's Encrypt Part 1 - Issuing and Installing Certificates for Microsoft IIS the "Easy Way"
Once the DNS records are pointing directly to your IIS Server and your boxes then swap to LE64.exe
This is a client limitation and just something you need to plan
@schoen both of the clients just march on with the HTTP challenge (i.e. create the folder and then submit the challenge without user intervention)
Andrei