Hi,
every node that you want to obtain a letsencrypt certificate needs port 80 or 443 opened.
In your case you could use for example http-01 challenge (port 80) on the leader node and tls-alpn-01 challenge (port 443) on node 3 so you could port forward port 80 to the leader node 1 and port 443 to node 3, this way both nodes should be able to obtain letsencrypt certs.
Please check following post for information about how to change the challenge type on your nodes. Check which traefik instance is used on the nodes to set it on the right traefik instance, for example traefik1 on node 1 and traefik3 on node3.
Another way would be to use DNS challenge so you don’t need to open ports but it needs to be setup on CLI, see NS8 and DNS-01 wildcard certificates - #8 by neuron-ch