This is a case where using a client that gave a more specific error is extremely valuable. In this case the problem is not anything that you're doing, but rather a policy issue related to your domain!
The problem is a system called Certificate Authority Authorization (CAA).
The people who run the Paraná state government domain have created CAA records for pr.gov.br that only allow DigiCert and GlobalSign to issue certificates for pr.gov.br domains.
There are two ways around this:
(1) Get them to add a third CAA record that permits Let's Encrypt to issue certificates.
(2) Create your own CAA record at the marmeleiro.pr.gov.br level that permits Let's Encrypt to issue certificates. This will override the higher-level record.
I guess you didn't mean for people to see your domain name but it's visible in the first image (and seeing it was very helpful for me in understanding what was happening here).