I guess my restrictive settings in mask Location based Filter prevented the acme.sh script to automatically renew my domain certificates.
As a workaround i manually forced renewal after disabling the Location based Filter.
I do not know the origin of the validation servers (i guess US with a .org domain) but anyway i would prefer to insert an exception rule only for these servers instead of disabling the whole US within the location based filter.
How do i extract the needed servers to create an firewall rule ?
OK, i wondered anyway why it only worked without Location Based Filtering because the initial request comes from my IP…
But if they handle it to different servers that initiate the connection to my acme-challenge then how do i provide access without open my location based filter for the whole US ?
You will need to open up Location Block to at least US and probably other countries as well otherwise Location Block drops all incoming traffic from the specified countries.
However, remember that all that traffic will still be blocked by IPFire except for where you have created a Port Forward rule such as is needed for the renewal challenge process (port 80).
I am familiar with certbot and not with acme.sh but I am presuming that it uses a similar http port 80 based challenge validation method.