Unfortunately this is not possible. I'm not really knowledgeable with the exact details, but there are (apparently) good reasons why it's not possible to start the http-01 challenge over HTTPS.
You can probably find out details about this here on the Community, maybe from the earlier days of ACME.
A different solution might be to terminate TLS not by nginx, but by an application that terminates TLS and that will reverse proxy the connection to nginx but also can do the tls-alpn-01 challenge.
Maybe things like lets-proxy2 (I just saw that in the list of ACME Client Implementations, no experience with it), and there might be others out there too. HAProxy unfortunately only seems to have http-01 support.
Also, ChatGPT came up with using the nginx stream module (Module ngx_stream_core_module and https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html):
stream {
map $ssl_preread_alpn_protocols $acme {
"~\bacme-tls/1\b" 1;
default 0;
}
upstream acme_backend {
server 127.0.0.1:8443;
}
upstream nginx_backend {
server 127.0.0.1:4433;
}
server {
listen 443;
proxy_pass $acme ? acme_backend : nginx_backend;
ssl_preread on;
}
}
For this example you'd need to have your http {} block listen on 4433. And you'd need a tls-alpn-01 capable ACME client which Certbot isn't. E.g. lego.
Note that ChatGPT probably made some mistakes (as LLM most often do) and I haven't tested the above.