Hi @roosit,
Since August 25, the Let's Encrypt CA has been making multiple tests of a challenge before the challenge is marked complete. This means that when you get one inbound connection, you may still have to wait for others to succeed before the challenge is considered successful.
In this case, if you whitelisted a particular Let's Encrypt IP address in a firewall, the challenge may have failed because Let's Encrypt was also connecting from an additional IP address. We've discouraged people many times from whitelisting specific addresses that they think Let's Encrypt will connect from, because the intent is to make this increasingly unpredictable as a defense against some kind of attacks against the CA system.