@wfuener With webroot, the Certbot client will create the challenge file but it is the Lets Encrypt servers which must find it. So, the LE server will make a request similar to:
If you try that today it should return 404, but instead will time out.
You can use this to help debug the connection
Also, see this: