Thank you RG305 for being helpful.
I added the following:
location /.well-known/acme-challenge/ {
root "C:/WEB_SERVERS";
}
I attempted to restart the service but received the following error:
nginx: [emerg] "location" directive is not allowed here in C:\WEB_SERVERS\NGINX/conf/mwrp/midwestrp.net.conf:4
The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Would my webroot path be C:\WEB_SERVERS ?
In every place you see this, add the code from my previous post right above it. That would be the correct location.
So it would be:
location /.well-known/acme-challenge/ {
root "C:/WEB_SERVERS";
}
location ~ / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_pass http://127.0.0.1:4000;
allow all;
}
for each of the three instances in that file.
Okay. Give me a minute. Again, thank you for being patient and helping. I'm new to this and learning.
I added it exactly as described, ran the command you said and received the following:
PS C:\Windows\system32> certbot certonly -d midwestrp.net --webroot -w "C:/WEB_SERVERS"
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for midwestrp.net
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: midwestrp.net
Type: unauthorized
Detail: 147.135.105.106: Invalid response from http://midwestrp.net/.well-known/acme-challenge/sn4Gjy68ewOe4xCdajq3unOr77RlzeL_IucJvv0Q2iU: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
I did restart NGINX service prior to running this command.
Just to provide an image.
Arrrrgh this sent me down a very deep rabbit hole with nginx and Windows, but I think I know what's wrong.
Apparently on Windows, any root you provide has to be relative to the directory where nginx is installed. When we try to pass C:\WEB_SERVERS as a root, it doesn't work.
So, on my test Windows server, I did it like this.
With the new location block I suggested, I changed it to:
location /.well-known/acme-challenge/ {
}
then I adjusted the Certbot command to be (you'll need to fix the nginx path to the one on your server):
certbot certonly --webroot -w "C:/WEB_SERVERS/nginx-1.23.3/html/" -d example.com
and I was able to issue a certificate.
Sorry, I had no idea that nginx on Windows had this restriction 
.
Okay let me give this a try 
Give me a bit.
I was successful in the midwestrp.net and it worked! but the ia.midwestrp.net didn't. This was the error it generated...
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ia.midwestrp.net
Type: unauthorized
Detail: 147.135.105.106: Invalid response from http://ia.midwestrp.net/.well-known/acme-challenge/5wr0PVxn0sOmM3EZ246Wvd13ynOp_aKi5SzOCg2vk-Y: 502
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Here is the successful one
PS C:\Windows\system32> certbot certonly --webroot -w "C:/WEB_SERVERS/nginx/html/" -d midwestrp.net
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for midwestrp.net
Successfully received certificate.
Certificate is saved at: C:\Certbot\live\midwestrp.net\fullchain.pem
Key is saved at: C:\Certbot\live\midwestrp.net\privkey.pem
This certificate expires on 2023-04-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
If you like Certbot, please consider supporting our work by:
Just an FYI...
I ran certbot certificates and i do have the following successfully added. However, I'm unable to do the ia.midwestrp.net one as indicated above.
C:\Windows\system32> certbot certificates
Saving debug log to C:\Certbot\log\letsencrypt.log
Found the following certs:
Certificate Name: midwestrp.net
Serial Number: 390ff916b5d75b8a29dfe230ea6e31da264
Key Type: RSA
Domains: midwestrp.net
Expiry Date: 2023-04-12 08:56:22+00:00 (VALID: 89 days)
Certificate Path: C:\Certbot\live\midwestrp.net\fullchain.pem
Private Key Path: C:\Certbot\live\midwestrp.net\privkey.pem
Certificate Name: www.midwestrp.net
Serial Number: 4431a170ceaa0a1acaf068ada2328ce2280
Key Type: RSA
Domains: www.midwestrp.net
Expiry Date: 2023-04-12 09:14:30+00:00 (VALID: 89 days)
Certificate Path: C:\Certbot\live\www.midwestrp.net\fullchain.pem
Private Key Path: C:\Certbot\live\www.midwestrp.net\privkey.pem
The one site which was working but not anymore is mwrp.app
Did you add the same location block to the part of midwestrp.net.conf that is relevant for ia.midwestrp.net?
Specifically here:
I get a 502 error on this one...
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ia.midwestrp.net
Type: unauthorized
Detail: 147.135.105.106: Invalid response from http://ia.midwestrp.net/.well-known/acme-challenge/YJxSfrgodKv7NsPx_cLOwr_D14RsuB3YzD6CNB5gME8: 502
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
I think I found the reason why I am getting this 502 error. I am looking into it and will report back.
Based on that configuration screenshot and the fact you're getting a 502, I'd be sure that you haven't restarted nginx since applying the change. But I suppose that since we last talked, you must have done it at least once.
I would guess that the 502 comes from the proxy_pass, which means that the location rule for /.well-known/acme-challenge/ isn't applying for some reason.
I had not started it, correct! With it started, I now get this message:
PS C:\Windows\system32> certbot certonly --webroot -w "C:/WEB_SERVERS/nginx/html/" -d ia.midwestrp.net
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for ia.midwestrp.net
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ia.midwestrp.net
Type: unauthorized
Detail: 147.135.105.106: Invalid response from http://ia.midwestrp.net/.well-known/acme-challenge/Kk69k2F4-rzAYe-OANtdYq2uYXmDJpxiUttNfF-4EGA: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Any idea what could cause this not to renew?
Please show the recently added code to that server block.
[it might possibly have a TYPO]
Also, try placing a file in that expected challenge folder [like: TEXT.TXT]
Then see if it can be reached via the Internet:
http://ia.midwestrp.net/.well-known/acme-challenge/TEST.TXT
If that fails...
Please show the tail of:
logs/ia.access.log
I just re-ran the command and here is the tail end
18.118.22.54 - - - [12/Jan/2023:20:22:07 -0800]"GET /.well-known/acme-challenge/A9INj3yKDey9VSVu08zF_NoroOgDsRxgOjYNWecRCXA HTTP/1.1" (404 - 268b->202b)in 0.002s"-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
35.85.147.230 - - - [12/Jan/2023:20:22:07 -0800]"GET /.well-known/acme-challenge/A9INj3yKDey9VSVu08zF_NoroOgDsRxgOjYNWecRCXA HTTP/1.1" (404 - 268b->202b)in 0.002s"-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.106 - - - [12/Jan/2023:20:22:07 -0800]"GET /.well-known/acme-challenge/A9INj3yKDey9VSVu08zF_NoroOgDsRxgOjYNWecRCXA HTTP/1.1" (404 - 268b->202b)in 0.001s"-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
