Unfortunately, LetsEncrypt are no longer only originating connections from their well known IP addresses, and can (and do) now establish connections from anywhere on the internet.
To address that, we added the ‘LetsEncrypt’ service to Sysadmin, which is perfectly safe to expose to the internet on port 80, as it only provides letsencrypt and nothing else.