Thanks @JuergenAuer, however beg to differ. On the premise there is no 100% security anywhere, not on the web, not in the real world, limiting exposure by eliminating avenues & raising multiple barriers, is prudent in security. Certainly, not as exclusive defense. Eventually, as things stand, if sever is truly worth hacking (ex. bank) it may be hacked. Our servers, glad to say, are not worth the volume of trouble required to hack them, due to (among others) limited exposure. This includes blocking all countries not interested in, and server clusters known as trouble hubs. Little value, if any, exposing ourselves to the likes of AWS. Cost of blocking them, negligible. All “for fun & glory” efforts against us, as well as for-profit ones, have to date failed miserably.
(Hope this doesn’t sound like a lecture, not meant to be. Despite experience, learning new things by the day, full of ears!).
My point: believe Letsencrypt better avoid verifying from AWS IPs or any such extensive cloud known open to abuse, and liable to firewall blocking.
Letsencrypt rightly limits exposure by not publicizing its IPs for whitelisting. Others have similar concerns, which should not be snubbed. Maybe it’s not exactly the same, but in principle it’s the same.