check out Using the webroot domain verification method example you can do a specific location context match to allow .well-known directories. I do the same for me webroot implementation on Nginx Letsencrypt Webroot Authentication Tested on Beta invited/whitelisted domain