this
95.46.108.21
That would mean you're blocking every outgoing connection to the internet, not just Let's Encrypt (=CloudFlare).
yup, and i have to add a specific rule to allow traffic for letsencrypt (certbot) somehow 
Let's Encrypt uses Cloudflare as their CDN in front of the ACME server. You can find the used IP address ranges by Cloudflare here: https://www.cloudflare.com/ips/
As they said "You can also use the Cloudflare API to access this list", you might be able to script this somehow into iptables. I.e., a cronjob checking the current rules and checking them with the list retrieved from the CF API or something like that. Perhaps somebody already has figured something out
thanks, i'll add them to list of allowed ip's