Hello,
I have been trying to certify a FreePBX, I have done it with another server that does not go through a firewall, I did it direct and it certified easily.
The problem I have with one that goes through a Mikrotik and I get the following error, I have the port 80 redirect to the PBX:
What configuration should the firewall or in this case the Mikrotik, I have redirected with a DST-NAT on port 80 to the PBX, but still says that the connection has been rejected.
Hello @technologyutb, welcome to the Let's Encrypt community. 
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Thank you for assisting us in helping YOU!
Hi @technologyutb, and welcome to the LE community forum 
Until we get those answers...
The question about what configuration should be added/included into the Mikrotik should be asked on their support forum [not here].
I understand but at least there should be a basic configuration for a Firewall from which you can know what protocols and gateways you are using because I am letting everything through port 80 as indicated but it is not working.
My domain is: I don't want to share it for security reasons.
I have executed this command: I do not execute any command as I am using the direct lets module from FreePBX.
This output was produced: this is the image
My web server is (include version): FreePBX
The operating system my web server runs on is (include version): FreePBX with centos 7
My hosting provider, if applicable, is: Google domains
I can access a root shell on my machine (yes or no, or I don't know): yes
I use a control panel to manage my site (no, or provide the name and version of the control panel): yes
The version of my client is (for example, the output of certbot --version or certbot-auto --version if you are using Certbot): Not Applicable
And to assist with debugging there is a great place to start is Let's Debug.
Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).
Is there an LE log file?
Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Around the world show Port 80 Connection timed out Check website performance and response: Check host - online website monitoring
https://letsdebug.net HTTP-01 is getting ERRORs here Let's Debug
Best Practice - Keep Port 80 Open
@technologyutb do you know which Challenge Types - Let's Encrypt is being used by FreePBX?
Only HTTP-01 Challenge Types - Let's Encrypt needs Port 80
I do have the DST-NAT rule that points to port 80 but I don't know why it is rejecting the connection.
and thus redirects it to the internal LAN port.
From the Internet viewable IP Address I see this
$ curl -I http://pbx1.utbcloud.net
curl: (28) Failed to connect to pbx1.utbcloud.net port 80 after 131100 ms: Connection timed out
@technologyutb can you run curl on your local LAN?
You do not need to share <pbx1.utbcloud.net local LAN IP Addr>, but the results of the execution would be helpful; be aware if the command executes successfully there will be a Location: that you may view as sensitive (so don't share that).
curl -I http://<pbx1.utbcloud.net local LAN IP Addr>
This will let us know if FreePBX is looking at Port 80.
A NAT rule is just a NAT rule.
Is there a matching firewall rule to allow inbound port 80?
Yes, I have a Firewall rule, an input rule
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.