I had a bit of struggle with Let’s Encrypts certbot today. Somehow it got 403 Forbidden each time it tried to authenticate the domain for my server. All the other website it worked without problem.

I created a simple text file in /.well-known/acme-challenge to see if I could access it. Yes it worked externally but then I realized I got 403 Forbidden when I tried to access from the server!

After lots of digging and testing I checked the apache general error.log and saw these lines:
[Sun Jan 20 21:52:32.754574 2019] [authz_core:error] [pid 2238] [client 2001:4b98:dc2:47:216:3eff:fe9b:cec6] AH01630: client denied by server configuration: /var/www/

Seeing that IPv6 address gave a clue and soon I found out it was due to that my webserver is not setup to listen to IPv6.
<virtualhost 185.26.124.99:80 [2001:4b98:dc2:47:216:3eff:fe9b:cec6]:80>

Adding it to the Virtual host listen config it solved it!