It looks to me like you are only listening on https (port 443). I would bet that the certbot creating the .well-known directory and going out over the web to access it on port 80 and getting the same "forbidden" return that you are.
This is correct. You have to be listening
and responding on port 80 for the renewal process to work. Did you not test the renewal process when you set everything up?
certbot renew --dry-run
Ok. Now it would seem you have some sort of auto forward to https configured.
I'm betting that it's a browser cache issue on this one. If you don't clear your browser cache after making a change you're going to still be connecting via https.
To get around this whole issue you need to add a server block listening on port 80 and add 2 location blocks. First for your .well-known directory for your renewal response and a second for a redirect to 443 for your site. That way you can leave your config intact and all requests to your site will redirect to https and your renewal requests will still go out and be answered via http.
This is a sample of my nginx configuration to give you an idea of what I'm talking about. I just set this up today and a dry run test works and the site is still served via https. This server block section would be placed above your current server block that is listening on port 443. I just purchased a domain for my site last night so disregard the multiple server name entries.
Code:
server {
listen 80;
server_name boredguy.chickenkiller.com www.boredguy.chickenkiller.com boredguy.showersnet.com www.boredguy.showersnet.com;
location /.well-known {
root /usr/local/www/nginx;
}
location / {
return 301 https://boredguy.showersnet.com$request_uri;
}