Running Nginx-ui on an AP node - ACME DNS challenge issue fails

Hello, I have 3 MX4300 running 24.10, 2 are configured as Access Points. I decided to install and run nginx from one of the AP since, it is just sitting idle most of the time. I configured a reverse proxy for my HA instance, and it works (I already had a good cert). I prefer GUIs, I found this light weight nginx gui, Nginx UI | Yet another Nginx Web UI. This all has limited to no support, but it works. When I try and request a cert I get an error:

obtain cert error: error: one or more domains had a problem: [immich-doty.duckdns.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: xxx.xxx.xxx.xxx: Fetching http://immich-doty.duckdns.org/.well-known/acme-challenge/mLCWinZzeQvSJCfKMY6b2F7md7d3h7KBrFHTfKYtw7c: Timeout during connect (likely firewall problem)

• I have setup the AP switch luci page to use port 8080
• On the router I have added port forward rule for port 80 to the AP switch
• I added a FW rule for port 80 from wan to lan allow (not sure this is needed but I added to remove it as an issue)
• setup duckdns and verified dnslookup.
• I can reach my website via http (I do get the not safe and have to select continue)

Any idea what I am missing or going wrong?

Does that AP have a default gw and DNS set ?

Only if you disallow connections from your network out to wan.
As @frollic suggests and ask. Does the AP have a default gateway and nameserver?

Yes. they are set to my router.

I have not set any fw rules other than the one to allow port 80. from the AP I can run; nslookup immich-doty.duckdns.org 99.79.16.64 and get a return of my IP.

Try rerunning acme, then manually grab the file in the URL you posted earlier, using curl or wget, does it work ?

Ok, it worked this time. I have not made any changes. Do I need the port 80 FW rule, should I have it?

No idea how duckdns verification works, but for outgoing traffic you don't.