Thanks. On a follow up.
LetsEncrypt requires the following hosts to be permitted for inbound http access:
outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org
Is it enough to open port 80 in the firewall or does it require any other ports? e.g.
-A INPUT -p tcp -s outbound1.letsencrypt.org --dport 80 -j ACCEPT
etc…