Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Let’s Encrypt does not publish IP Addresses as they may change at anytime.
Presently (again subject to change at anytime) you need to let USA, Sweden, and Singapore through the firewall.
Let's Encrypt does not publish the IP addresses of its auth servers. The IP addresses often change from one challenge to the next.
I don't see any problems connecting to your domain. I can even connect using HTTPS and see your (expired) Sectigo cert.
Sorry, I now see you allow only US sources to connect to you. Bruce already described the countries that Let's Encrypt currently uses. These may change anytime.
Also, other Certificate Authorities will need to be doing similar things as standards are changing. But maybe one of them will work now. You could also just renew your paid Sectigo cert. The validation process may be different.
Another option is to use a DNS Challenge. These are often harder to setup and require your DNS Server to accept queries from non-USA origins too. But, this is often the case.
Below is a very good post describing the validation and choices
Possibly use another free ACME CA, might be your best choice.
Edit:
Here https://www.login.gov/ also a USA government agency seems to have no trouble using Let’s Encrypt. You might ask them about the firewall setup they are using; as you do work for the same employer internal coordination and communication I would expect to be quick and efficient for you.
Please also consider using the DNS-01 Challenge instead of the HTTP-01 Challenge as the validation only needs to communicate with the domain’s Name Servers.
Can you update the DNS records for that domain? You could use a DNS Challenge. Although, I looked at your DNS providers website and don't see that they offer an API to update their records.
So, you would be stuck doing a manual cert issuance every 60 days or so. We don't recommend manual processes.
Maybe the people who manage the base name have figured out a way to use the DNS Challenge. Do you know who they are?
Do you have a way to temporarily disable the geo block? Is it possible to use a Certbot pre-hook and post-hook to disable and enable it just for the cert issuance? That usually only takes a few seconds and is only needed when getting a cert so about every 60 days.
Of course, you could always try a different Certificate Authority or even a paid certificate. But, as noted in the Multi Perspective thread I linked to other CAs will be doing similar validations in the future (and some do today).
Welcome to the Let's Encrypt Community, @njohnson01!
You could put a higher exception in your firewall rules that allows all traffic only to the acme-challenge path for HTTP-01 challenges. Not like you face much, if any, risk from that.
If you have to geoblock I would suggest geoblocking specific countries. I'd guess that ones you're most likely to block (from the US) are also least likely to become Let's Encrypt validation perspectives.
