LetsEncrypt and Firewalls
You may want to create some firewall rules to allow only LetsEncrypt to get to your port 80
or if you live in a country other than the US, you may want to filter HTTPS to only your country
BUT LetsEncrypt moves its IP addresses around intentionally for security reasons
need to create allow rules for the following DNS entris
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org