The other thing to note (if like me you enforced LE connections on the border firewalls) that LE have started verification of the .well-known/acme-challenge from multiple global addresses - to stop (minimise) local redirection of the challenge. The solution for me was [but I only have one service] was open 80 to all incoming addresses, refresh the LE cert and lock down again.
Not ideal, and I wish LE would allow you to specify a query port when making the first request (and FreePBX open up Fail2Ban for the duration of the queries).