Letsencrypt rejecting some probes (timeout)?

I have a Turris router and behind that a Paspberry Pi providing a web server that uses Letsencrypt certificates. This used to work fine, but since replacing my old router with a Turris one upgrading the certificate using certbot renew is fails. The Turris is setup to forward ports 80 and 443 to the pi. That works fine. I can access files in .well-known/acme-challenge fine from outside the network.

Running certbot renew claims a timeout though and suggests this may be a firewall issue. Looking at the web server it get 1, sometimes 2 requests from letsencrypt. From the letsencrypt forum I understand I’m supposed to get at 3 or 4. Thus, some are lost. I’m pretty sure this is not the server on the Pi rejecting. That leaves my ISP (Ziggo, the Netherlands) and my router where I suspect the router first as that changed. It has the dynamic distributed firewall enabled.

I didn’t find a good way to disable the dynamic distributed firewall. In the end I uninstalled the Dynamic Firewall package, though without rebooting. That didn’t make a difference. I have a couple of questions:

  • Anyone else with this problem?
  • Is there a way to view the connections dropped by the Dynamic Firewall?
  • (How) Can I easily disable it?

Even if this works and disabling allows me to renew the certificates this isn’t ideal :frowning: Suggestions are welcome!

IIRC connections dropped by dynamic firewall are not logged, only the rest is.
disabling dynamic firewall should be way to test that.

Thanks! That is one. How do I disable the dynamic firewall except for removing it from the installed packages? If I remove it, do I need to reboot the router to make this effective?