It’s not possible at the moment. I am working on an event dispatching system that might make this viable in the future, but no promises.
What you could do though, is use the DNS challenge instead of the HTTP or ALPN challenges if you need your firewall set up. The DNS challenge gets around ACME providers needing to connect directly to your server, by indirectly verifying ownership of the domain by checking for a special DNS record that is generated during the issuance flow.
If your DNS provider isn’t supported, you could consider using the duckdns plugin to delegate the challenge.