Never had any experience with this issue, so this is a guess (probably wrong). I would try both source and destination firewall/all and accept on TCP port 80 and 443
Edit: maybe you could have a look at this thread: https://community.ipfire.org/t/lets-encrypt-certificates-for-ipfire/5789