diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp b/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
index 1fb6c94..34f7396 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
@@ -116,4 +116,7 @@ class cdn::ca(
     creates => '/root/.step/config/defaults.json',
     onlyif  => 'test -f /opt/step-ca/data/certs/root_ca.crt'
   }
+
+  # Enable acme
+  # step ca provisioner add acme --type ACME --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
 }
diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
index f1c506a..29e44bf 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@@ -22,4 +22,10 @@ class cdn::mqtt(
     mode    => '0644',
     content => template('cdn/mqtt/cdn.conf.erb'),
   }
+
+  sunet::nftables::allow { "allow-step-ca-acme":
+    from  => 'any',
+    port  => 80,
+    proto => 'tcp',
+  }
 }