Thanks @mnordhoff for hinting AWS issue. Have arrived here with the same (comparatively recent) problem on all our servers, resolved by bulk deleting AWS IPs from firewall.
AWS is a well known hub of spammers, scrapers, bots & all sorts of nasties. We increasingly faced a non-stop storm of all sorts of “attacks” from AWS IPs, getting involved in a futile wack-a-mole campaign of banning individual offending IP ranges - till we decided to block en masse all AWS known IPs and thus get some peace of mind.
Since overall we are not aware of what Letsencrypt IPs to whitelist, we are forced to weaken our firewall to a great extend to be able to use Letsencrypt.
Unwittingly Letsencrypt, dedicated to web security, is in effect exposing our servers to security issues by weakening by some of its decisions some of our firewall defenses.
I am not advocating here publication of IPs to whitelist. They have indeed to remain secret. However, Letsencrypt IPs should be far, far away from clusters candidate for IP range blacklisting such as AWS, Google, Microsoft, Oracle, Hetzner and other such nasty clouds.
I hope this makes sense.