The documentation, already updated with add-acme still says:
Domain names must resolve to the router, and TCP port 80 must be accessible from the WAN (HTTP-01 challange is used).
though. I don't think any dynamic accept rule is added.
I prefer to use my explicitly scheduled script, becaused I don't want www to run needlessly with a few FW rules being active all the time. Especially if the FW rule is in mangle postrouting, because it affects every non-fasttracked packets (not even having the benefit of being skipped due to "established,related").
And also because I need to make sure the other services are updated to use the renewed certificate. The automatic renewal currently doesn't have any scripting hook.