I need to configure Let's Encrypt with automatic certificate renewal, on a firewalled off system, could you please tell me what are all of the ipv4 subnets that the validator uses? [So i can allow all of them in the firewall.]
As others have said, the short answer is 0.0.0.0/0 & ::/0.
Let's Encrypt needs to verify that you own the name as seen from everywhere on the Internet. That's the whole reason that they can sign your certificate to certify that your server owns the name, that they've confirmed that the name resolves to the owner of that certificate from everywhere. They check from multiple locations, and can occasionally change where they're checking from, to help ensure that nobody is trying to spoof their connections to servers.
If you're trying to get a certificate for a server that isn't publicly accessible, your only options are:
Use the DNS-01 challenge instead. This only requires your DNS server to be accessible from everywhere, instead of both your DNS and your web server needing to be.
Script your firewall to open up and allow for connections from everywhere during the time that you're renewing, and close your firewall back up afterward.
The key to using Let's Encrypt (or any other CA too, ideally, though other CAs don't always make it easy) is to automate the process so that you don't need to think about it, and usually the first of those options is easier to automate, but I've heard of other people in this forum that do the second. (And for some reason some IT departments are much more comfortable with their DNS servers being publicly accessible than their web servers.)