1. Make sure .well-known and acme-challenge directories are set permissions to 755
2. Create random file test.txt in .well-known/acme-challenge/ and try to view it with browser
If all of this is good, your certificate should renew. The problem I had on my server is that even when step 1. and 2. were ok and working, I still got permission denied message. The problem was I setup my Varnish engine to force SSL on non SSL request. When bot requested http://somedomain.com/.well-known/acme-challenge/ it was automatically redirected to https://somedomain.com/.well-known/acme-challenge/. So,
3. Make sure you disable force SSL during renewal.
Error message example:
Failed authorization procedure. s55ma.radioamater.si (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://s55ma.radioamater.si/.well-known/acme-challenge/i825k_Mk8YGTTD1GOsZvMCkZ0KaRFdext04LfQdelQs: "<!DOCTYPE html> <html> <head> <title>403 Forbidden</title> </head> <body> <h1>Error 403 Forbidden</h1> <p>Forb"