See here was discussed already Dynamic firewall blocks Let's Encrypt renewals
And here workaround
Let's Encrypt servers are blocked since Turris OS 7.1 - #18 by joachimesque
You may also use acme.sh so no need for port 80 and verification is via DNS.
Also there was discussion somewhere that you may need to add LetsEncrypt hosts to DynFirewall whitelist. Added in some version before. If you preffer to use HTTP verification