LetsEncrypt 403 Forbidden

Does anyone know the source of this issue?
LetsEncrypt Generation Failure
Unable to update challenge :: authorization must be pending

Requested 'http://sitepbx.site.com//.freepbx-known/a2c02700---------------------0625be6' - 403 Forbidden Forbidden You don't have permission to access /.freepbx-known/a2c02700---------------------0625be6 on this server.
The FreePBX Firewall is not enabled.
The LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail if public access via port 80 is not available.

Processing: sitepbx.site.com, Local IP:, Public IP: 99.—.—.217
Self test: trying http://sitepbx.site.com/.freepbx-known/a2c02700---------------------0625be6
Self test: received a2c02700---------------------0625be6
Requested ‘http://sitepbx.site.com//.freepbx-known/a2c02700---------------------0625be6’ -

403 Forbidden

You don’t have permission to access /.freepbx-known/a2c02700---------------------0625be6
on this server.

Getting list of URLs for API
Requesting new nonce for client communication
Account already registered. Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
Account: https://acme-v02.api.letsencrypt.org/acme/acct/3---------0
Starting certificate generation process for domains
Requesting challenge for sitepbx.site.com
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5------------0
Got challenge token for sitepbx.site.com
Token for sitepbx.site.com saved at /var/www/html/.well-known/acme-challenge/guBMq-----------------------------------------IcO1Llfxo and should be available at http://sitepbx.site.com/.well-known/acme-challenge/guBMq-----------------------------------------IcO1Llfxo
Sending request to challenge
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5------------0/eAQGQg
Verification pending, sleeping 1s
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5------------0/eAQGQg

–Firewall disabled to narrow down the cause of the issue.
– HTTP port forwarded for both tcp and udp to
–VM on bridge mode
– Content of etc/httpd/conf.d/schmoozecom.conf for port 80:
Listen 80
<VirtualHost *:80>
Alias /.well-known /var/www/html/.well-known
Alias /.freepbx-known /var/www/html/.freepbx-known
RewriteEngine on
RewriteRule ^/.(well-known|freepbx-known)/ - [H=text/plain,L]
RewriteRule (^.|/.) - [F]
DocumentRoot /invalid/folder/name


Port 80 needs to be open for the method you have chosen. That’s actually a Let’s Encrypt question.

Hello jgttgns,
I have the port 80 assigned to LetsEncrypt and and same port open on router. Do you know if I need to make other changes?

You can always test your connection with (after the initial run):

certbot renew --dry-run

Also, you do not need to forward UDP connections.

I don’t think the FreePBX acme client is using certbot.

thus your post is irrelevant

Not if you handle the certs outside FreePBX, where the new certbot looks like the easiest method.

you can do that but it’s not part of the ecosystem here, BUT if you want a better client that handles DNS-01 as well as HTTP-01 and issues clean certs without the current letsencrypt intermediary deprecated ones , acme.sh will issue zerossl certs cleanly.

DNS-01 will never need an open port on your server and acme.sh supports over 100 name services.

I actually forgot about the custom bash letsencrypt script. In more complex environments, where several public services are behind a firewall, the setup is likely more complicated anyway. Either the router or the cloud software decently handles the certs, or I use the certbot snap and distribute from there, if necessary.

On the other hand a test function could also be added to the current script. It is helpful in customer networks. It is not always clear what the effects are in case someone else has fiddled with the router and/or firewall setting. At least the certs will still be valid after the next renewal round.

For complex deployments acme.sh has lots

for lots of public servers behind a firewall look at a ‘reverse proxy’ (I use haproxy) inside and put all your certs in it’s frontend config add a separate one on your router.

Yep, especially if there are a couple of nodejs apps in the background…, :grinning:

I’d call that normal, but it ain’t the standard config of the iso.

Sorry, not understanding your post.
Please reply to the original post succinctly if you have anything to help him.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.