I don’t think you’re missing anything, it’s just that webroot authentication isn’t ideal for every situation.
A few ideas spring to mind. The first would be to use the
--nginx authentication method along with
certonly. That will use Nginx directly to authenticate but won’t mess with your config.
The second idea would be to use a different client, such as NeilPang’s acme.sh, which can use DNS authentication. That way it doesn’t matter what your setup is or how it’s configured.
The only other thing I can think of would be to write a script that swaps your Nginx config for a “renew” config, reloads Nginx, attempts renewal, then swaps back to your production config and reloads Nginx again. I’d then have cron run it once a week. It’s inelegant, but it’s basically what you’re doing now (only a lot less effort for you!) A script like that could be run once a week and would take less than ten seconds to finish when there’s no renewal to perform. Maybe about 20-30 seconds if renewal is required. That’s not bad downtime in a week.