diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
index d4da2b8..c1f6500 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@@ -137,6 +137,12 @@ class cdn::cache(
   $dash_split = split($my_hostname,'[-]')
   $environment = $dash_split[2]
 
+  sunet::nftables::allow { 'allow-step-ca-acme':
+    from  => '89.45.237.248', # internal-sto3-test-ca-1.cdn.sunet.se
+    port  => 80,
+    proto => 'tcp',
+  }
+
   # Get client cert for connecting to MQTT bus
   exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]} --http-01-address ${facts['networking']['ip']}":
     creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"