Please do not read only the last post in the previous thread.
Of cource I totally deleted all firewall rules before I check the problem and post it here again.
The issue: some of Letsencrypt verification servers have connection problems to my Hetzner DE IP subnet.
It was confirmed by Letsencrypt staff:
I have confirmed we saw errors from validator instances in both AWS's us-east-2 and eu-central-1 regions to your IP address. Sorry, I don't easily have the IP address of the instances and it would take a bit of work to correlate the different logs to find what the external IPs of the instances are.
Hetzner has many IP subnets.
If Letsencrypt validation works well for your subnet it does not mean it works well for all Hetzner subnets.