This seems to be happening again. My workaround is to add the following custom firewall rules:
# Bypass Sentinel blocking Let's Encrypt
iptables -I zone_wan_input 1 -p tcp --dport 80 -j ACCEPT
iptables -I zone_wan_forward 1 -p tcp --dport 80 -j ACCEPT
Obviously this is not ideal as it bypasses all firewall rules, but in my case I don’t really have anything else exposed on port 80, except ACME http-01 challenges.