I’m reporting my experience on the last three setups, Lorne: The initial cert request failed until I disabled it. I re-enabled as soon as the cert was provided.
In each case we didn’t change anything else. Disable firewall in Connectivity, request LetsEncrypt cert, receive cert, enable firewall.
I’m not trying to be irresponsible. I’m trying to save others the hours of hair-ripping we’ve had on this in the last week or so. If others can make it work with the firewall enabled, that’s great.