I have a Turris router and behind that a Paspberry Pi providing a web server that uses Letsencrypt certificates. This used to work fine, but since replacing my old router with a Turris one upgrading the certificate using certbot renew is fails. The Turris is setup to forward ports 80 and 443 to the pi. That works fine. I can access files in .well-known/acme-challenge fine from outside the network.
Running certbot renew claims a timeout though and suggests this may be a firewall issue. Looking at the web server it get 1, sometimes 2 requests from letsencrypt. From the letsencrypt forum I understand I’m supposed to get at 3 or 4. Thus, some are lost. I’m pretty sure this is not the server on the Pi rejecting. That leaves my ISP (Ziggo, the Netherlands) and my router where I suspect the router first as that changed. It has the dynamic distributed firewall enabled.
I didn’t find a good way to disable the dynamic distributed firewall. In the end I uninstalled the Dynamic Firewall package, though without rebooting. That didn’t make a difference. I have a couple of questions:
- Anyone else with this problem?
- Is there a way to view the connections dropped by the Dynamic Firewall?
- (How) Can I easily disable it?
Even if this works and disabling allows me to renew the certificates this isn’t ideal 
Suggestions are welcome!