I would use the DNS challenge so that you do not need to worry about an ACME server trying to reach your server:
Much simpler.