ok, new day and I want to check again and find out this:
root@turris:/# ~/acme -d router.jpleva.cz -r
[Thu Jun 9 09:22:13 CEST 2022] Renew: 'router.jpleva.cz'
[Thu Jun 9 09:22:13 CEST 2022] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Jun 9 09:22:13 CEST 2022] Skip, Next renewal time is: 2022-08-08T03:02:14Z
[Thu Jun 9 09:22:13 CEST 2022] Add '--force' to force to renew.
it renewed somehow itself tonight.
The only change I did was, adjusting the rule to not forwarding http to https for /.well-know/ URL what was probably the real problem, then. Other domains did have it already.
But it's really weird, that let's debug still complains about connection issue... I've double-check and I do not blocking any of the IPs you mentioned. It's really weird error...
Ok, I think, that there is something in-between LE and router itself.
Same test to server, where I do have 100% control over it as it's server hosting, there isn't any problem with, but on home router does. Looks like ISP maybe proactively blocking some part of traffic or something, otherwise I do not have idea, what's going on there.
Anyway, now it's working somehow again, so thank you for hint and tip for what I should go!
And my router is using those rules... I'll will try to report that...
So shortly:
blocking was caused by dynamic firewall rule
and real issue was cased by forgetting of adding exclusion of forwarding of /.well-known/ URL to HTTPS (as done for rest).
BTW - it would probably good to provide more information about those connection error (ex from what IP it fails connect to) and as there is more of them, probably something like 2 from 4 failed. It will help a lot.
I think the risk is that people will start whitelisting IPs if they are reported directly in error messages. This is something that has been discouraged so far because the IP pool changes frequently.
You're (at least) the third person on here who has encountered problems with Turris, though.
Yeah, that's right. Makes not sense too much, then.
Actually it's first time I had the issue (and was caused by something else obviously). But it's good to keep in mind that firewall. Anyway, definitely it helps prevent more troubles, then actually causing (at least from my point of view, have no issue with dynamic firewall so far, now it just points me to wrong direction - thats the only problem I had).