During setup of Netlify I’ve noticed, that they were able to get SSL cert even though my domain has HSTS and they don’t have access to my DNS (Cloudflare). Quick check to documentation of Let’s Encrypt revealed that for HTTP-01 challenge they don’t check the certificates. That not only makes the process potentially a bit safer, as it can go through HTTPS with self-signed cert instead of plaintext HTTP, but also solves the edge case of expired cert / first cert and HSTS with no access to DNS.
HSTS doesn't block Let's encrypt HTTP-01 challenge
Let's Encrypt's validation does not have verification of certificates enabled.