'Enable SYN-flood protection' and letsencrypt

I have a reverse proxy exposed to internet behind a Turris Omnia using bunkerized-nginx and today it seems my letsencrypt certificates expired. Renewing them failed as well as regenerating them because it seems the http-01 challenge requires 4 http gets from 4 different IPs… and I only receive 1, 2 or 3 but never 4, so I thought it was my ISP that was blocking some letsencrypt IPs…

After a lot of trial & error, it turns out the ‘Enable SYN-flood protection’ firewall setting was the culprit… disabling it made the renewal/regeneration to work flawlessly.

Not sure if that setting can be tweaked somehow to prevent this issue, but just in case someone else is struggling with this, the fix is just disable that setting.