I have not done any tests to confirm this, but here’s what I think ought to be the the minimum set of firewall rules you need for Let’s Encrypt:
- For all challenge types: Allow outgoing traffic to
acme-v01.api.letsencrypt.orgon port 443 (HTTPS). - For
HTTP-01(for example viacertbot's webroot plugin): Allow incoming traffic on port 80 (HTTP) from anywhere. - For
TLS-SNI-01(for example viacertbot's standalone or apache plugin - this is probably what you used, if I’m interpreting “automated install” correctly): Allow incoming traffic on port 443 (HTTPS) from anywhere.
In case you’re wondering why it’s “anywhere” for HTTP-01 and TLS-SNI-01, and not a set of specific IPs: Let’s Encrypt plans to perform validation requests from a number of (possibly) unpredictable IP addresses in the future, in order to make spoofing validation requests harder. If you rely on a specific IP address being used, your deployment will break without any warning at some point.
If you’re looking for a challenge type that does not require allowing any incoming traffic, take a look at DNS-01. With that challenge type, domain ownership is demonstrated via a TXT record you create for your domain. Note that this is currently not supported by certbot, you’d have to use one of the alternative clients (take a look at lego or any of the bash clients).