I don't think anybody really has more debugging information they could give you. All Let's Encrypt's servers know is that they sent packets addressed to your server and didn't get a response. If the primary datacenter can connect but the secondary locations can't, the error message specifically calls out that "secondary validation" failed.
It gets tricky to publish which IPs can and can't connect to your systems, as that information would also be valuable to somebody trying to trick what routes Let's Encrypt's networks should use and such. They need to try to ensure that the requester of the certificate owns the certificate as seen from everywhere on the Internet.