...
https://letsencrypt.org/docs/allow-port-80/
"Allowing port 80 doesn’t introduce a larger attack surface on your server", said Let's Encrypt, "because requests on port 80 are generally served by the same software that runs on port 443."
However, Let's Encrypt only needs to be able to access the /.well-known/acme-challenge/ path. You can configure your firewall to block access to everything else, if you want.
Finally, you should check if or not port 80 is open
Navigate to http://your-dualshield-fqdn/cert/hello
