diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
index ea931ecf..4ffd3208 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
@@ -104,6 +104,10 @@ spec:
     - toFQDNs:
         - matchPattern: "*.${DNS_MAIN}"
         - matchPattern: "*.${DNS_SHORT}"
+    # allow Let's Encrypt traffic for e.g. OCSP or CRLs
+    - toFQDNs:
+        - matchPattern: "*.lencr.org"
+        - matchPattern: "*.*.lencr.org"
     # DNS proxy to kube-dns, DNS L7 visibility
     - toEndpoints:
         - matchLabels: