What I don't like of your setup is that you used one server block for each FQDN on port 80. For example, I did the same redirect on multiple subdomains like this:
server {
listen 80;
listen [::]:80;
server_name .example.com;
# simplified form -- see http://nginx.org/en/docs/http/server_names.html
location /.well-known/acme-challenge/ {
root /var/www/acme;
}
location / {
return 301 https://$host$request_uri;
}
}
And I only have this block on port 80. Several on 443.
A wanted side effect, all subdomains have the same webroot as far as Let's Encrypt is concerned. On port 443, they serve different things.