The FQDN's used in your certificate must currently point to one or more official IP addresses. Enter the all of these IP addresses here. OPNsense will automatically create a temporary port forward to allow the Let's Encrypt validation to succeed. This will lead to a short downtime of the service that is normally used with these IP addresses.NOTE:This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.
You can use a DNS challenge with Letsencrypt instead of HTTP:https://letsencrypt.org/docs/challenge-types/HTH,Patrick