For incoming HTTP requests to validate control over the domain, you need to allow requests for the /.well-known/acme-challenge path.
This FAQ may help explain some of what's going on, with Let's Encrypt needing to check from multiple places that regularly change: