Okay, I think I got it sorted.
In my case, that IP address that wasn’t from Netlify was in the domain.com DNS records. It turns out the client had purchased some multi-service webmail and hosting package from web.com months ago, and somehow the DNS records at domain.com were altered to allow web.com to host the website, but without any content. I deleted those records, and the Let’s Encrypt security is working now.
Not sure what you’ll see when you dig, but as far as I can tell it is set up properly at this point. Sid Mann pointed out a few things to me over private email. The documentation at [Support Guide] DNS Quick Start - How to set up DNS helped, but didn’t prepare me for the possibility that a client might have authorized a 3rd party service to make some changes to the DNS settings at Domain.com.
If I were to try to troubleshoot this exact issue for another person, I’d tell them that when a client has access to the domain registrar, to check both the DNS Records and Nameservers at Domain.com and make sure there aren’t a bunch of 3rd party DNS records added.
Yes, those were the default domain.com servers. On Domain.com specifically, no changes can be made to the DNS Records for a website unless the nameservers point to domain.com `[ns1.domain.com and ns2.domain.com nameservers specifically.] So one guess is someone added those in order to add the web.com DNS records but not outright delete the four Netlify nameservers.
Another self-deprecating guess is that the web.com DNS records were there the entire time that I was first building the website and just didn’t notice - but it doesn’t look like the web.com records are that old. Either way, I think it’s repaired now.
Just blogging this for good documentation. Thank you for your help with the dig!