The external IP address of your PBX must resolve to the domain name you are requesting a certificate for if you are using acme HTTP-01 challenges ( which you are )
It’s not an LE or acme restriction, it’s Sangoma/FreePBX nonsense. The outbound request is NAT’ed to a different IP and FreePBX thinks the config is invalid when it’s not.
This is FreePBX causing problems by trying to be smart, but really being dumb.
This happens if the address the outbound request comes from does not match the resolved IP address of the cert dns name.
Common causes are NAT configuration or multi-homed machines where the default route is not using the same IP as the cert dns address.
If possible remove the device from any kind of NAT, configure 1-to-1 NAT for the server, adjust the outbound default route, or at least for any traffic destined for mirror1.freepbx.org.
There is nothing necessarily wrong with your setup, this is 100% a Sangoma/FreePBX self-inflicted problem. There is no requirement for such nonsense by LetsEncrypt or the acme protocol. There are many possible valid configs where the outbound request IP is not going to match dns cert IP.
I will say this is an odd design choice. We use let’s encrypt for several other webapps where the outbound ip doesn’t match the inbound ip. I’m pretty sure that’s common…
It will be complicated to change the ip address assignment as we use all of the addresses in our block for services with one dedicated for outbound traffic as some of the services we integrate with still filter inbound traffic by ip
I could see it as a post-failure diagnostic - your cert request failed, let’s see what we think could be a problem - but making assumptions about the all the possibilities of inbound proxies, outbound proxies, default routes, NAT setup, etc is guaranteed to fail.