As @davidep says, port 80 needs to be open for renewal as well with the default configuration. To avoid this, use DNS validation instead; here’s how you can do that:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
Edit: Another option would be to run your own acme-dns instance. This takes a bit more setup, but you can do it with just about any DNS host. This trades one exposure for another–instead of port 80 being open to the world, it’s port 53. See here: