I have not done any tests to confirm this, but here’s what I think ought to be the the minimum set of firewall rules you need for Let’s Encrypt: For all challenge types: Allow outgoing traffic to acme-v01.api.letsencrypt.org on port 443 (HTTPS). For HTTP-01 (for example via certbot's webroot plug…