That is likely to not be good enough because LetsEncrypt are using locations around the world and they have said that they will move to using multiple locations from multiple areas for an update and they will not provide any list of the servers they use.
So the two options are all I can think of and option 1 will likely need to be more open than just USA as they now use servers from all over the world and the ones they use are not restricted to the location you are in.
EDIT:
Actually there is a third option which is what LetsEncrypt recommend when you have corporate requirements to only open up ports to defined IP’s and that is to use the DNS-01 Challenge instead of the HTTP-01 Challenge. https://letsencrypt.org/docs/challenge-types/
or LetsEncrypt have also suggested to have a separate server specifically for certificate validation and place it in the DMZ and then extract the updated certs from the DMZ machine if they change.