Lets Encrpt should support DNS Groups (more than one A Entry in DNS Record)
The Support told me, its a bug buy sophos design, so this should be fixed.
If you have a DNS Entry, with more than one A DNS entrys, Lets Encrypt does not work like the standard from lets encrypt define it. The verification does not work anymore.
The UTM have to listen to all A entrys and catch the handshake/verification request.