Here’s a suggestion.
Go sign up for the $5 droplet at DigitalOcean. Follow the install guide to the letter, no copying of additional certificates or anything else.
DO droplets are prorated, if you follow the guide (which takes 30 minutes or less) the cost of proving the install is $0.02. If you don’t want the instance afterwards just hit the destroy button.
If it still fails then there’s something we can begin to troubleshoot.
If it works then it proves this isn’t a discourse issue. If you choose to use a more complicated environment you unfortunately also accept responsibility for the extra challenges it presents. The standard install has been proven on the Ubuntu image at DO and their Network policy doesn’t cause issues with Lets Encrypt (but does occasionally need moderate remediation to send email).
Note that if you’ve been requesting and re-requesting the same certificate name it’s possible that Let’s Encrypt has put that particular FQDN on cooldown.