I ran into the problem described here: Let's Encrypt suddenly unable to renew certificates - #5 by shillongserver
After some debugging and digging around, it seems that the default virtual server that’s created during initial configuration does not get an IPv6 address. This may result Let’s Encrypt trying to do the validation request over IPv6 rather than IPv4 resulting in a 404 (even though the validation file is being created).
Assigning an IPv6 address to the server fixes the issue.