It seems Turris’ “dynamic firewall” tends to block let’s encrypt servers altogether. This was previously reported here:
… neither of which were solved in any satisfactory way. The first answer just showed how to list the blocked IPs and the second one doesn’t really have an answer other than “disable SYN-flood protection”.
In my case, I figured the problem was the dynamic firewall and I completely disabled it. This was discussed within the Let’s Encrypt forum here:
… but I think the Turris community should avoid triggering bans on Let’s Encrypt, as it’s not an attacker.
Could something be done upstream so that security protections could be enabled without breaking TLS certificate renewals?
It’s tricky as AFAIK Let’s Encrypt tries to access the web sites from multiple locations/IPs so we can’t simply put them on the white list. But we should be able to recognize by accessed URL that it is acme challenge and ignore it in our honeypots…
Just my +1 that I have been just bitten by this problem. It cost me an hour to find out what the culprit could be. After disabling the dynamic firewall by changing option sentinel_dynfw '1' to '0' for the wan zone in /etc/config/firewall, I was able to renew all the certificates.