I'm sorry to see that this validation problem has been difficult for @smon and the community to diagnose. We share your frustration about how tough it can be to find the exact spot where there's a routing, firewall, or similar problem.
This seems like a good moment to clarify some context:
As some community members have noted here, we're a small team responsible for a great many certificates. It would be impossible to troubleshoot most individual subscribers' problems ourselves. We hugely appreciate our community members' help in doing this. They flag us on problem reports that are especially unusual, or are part of a pattern that could mean there's a problem on our end; and we also watch for these patterns ourselves.
Because of this, we need everyone seeking help to provide enough information to help our community troubleshoot their problem. If you have a concern about sharing some information, we sympathize (since security and privacy are our whole thing) and will try our best to help you. But some types of problem can't be solved without all the information and all the context.
Because of this, we also need everyone seeking to help to be mindful of a subscriber's own context and concerns. If someone's reticent to post some information or try a troubleshooting step, by all means gently encourage them and try to talk them through it, but please don't let that descend into an argument.
Now, on to this issue:
I checked with my colleagues and located the domain name you had sent us in a PM. It looks like you were requesting a certificate with a large number of Subject Alternative Names (SANs), which we validate all at once. Customers' reports across the Web suggest that Hetzner may have built-in, network-level DDoS protection. If that's correct, then they are likely misidentifying this large traffic "spike" from a small number of IP addresses (ours), in quick succession, as a type of DDoS.
We haven't identified any pattern of problems with Hetzner; I see a normal validation success rate for other requests at the times you attempted to validate, and over time for your "neighbors" on nearby IP addresses. So, I think this is the problem.
If this is it, and Hetzner isn't able to help you, then I recommend requesting more certificates with fewer hostnames in each. That will spread out the validation traffic and prevent this problem.