You can simple create one vhost config block that basically just says:
“There is NO HTTP server here, go to HTTPS - (except for any challenge requests)”
[modify to fit your needs]
#NGINX sample code
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
try_files $uri =404;
}#location
return 301 https://$host$request_uri;
}#server
And if you are super paranoid, you can send the port 80 connections to a separate system (not to the same one that does port 443).
Then proxy only the challenge requests from the “80 only system” to the “443 only system”.
If you are insane about security, then place an IPS between the “80 only system” and the “443 only system” to insure no funny business is going on.
If that still keeps you up at night… talk to my friends Jack and Johnny and the good o’le Captain.