Here is an online tool https://www.redirect-checker.org/ to "Check Your Redirects and Statuscode"
You will want to enter http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> as the input.
See here for HTTP-01 challenge of the Challenge Types - Let's Encrypt
Using your example for inputs:
Correct.
The error is coming from your server, so I can't absolutely say -- it could redirect to an HTTPS url and then decide to give that error for fun if it wanted. But it is almost surely a TLS-ALPN challenge sent to a TLS implementation that doesn't know how to respond. It's the TLS version of a 404 error.
There were no redirects when the error first started. I deployed Let's Encrypt on the NGINX server, just to see if that would fix the error, and it didn't make a difference either way.
Looking through the release notes of FortiOS 7.2.4, I just noticed this under known issues:
Bug ID 864703 - ACME client fails to work with some CA servers. I'm wondering if that bug is somehow only affecting new certificate requests, but not renewals. I'll ask Fortinet TAC about it.
How do your deploy Let's Encrypt; as Let's Encrypt is https://letsencrypt.org/.
Are your trying to say you have deployed TLS with a Let's Encrypt issued Certificate on your nginx server?
And how are you deploying TLS with a Let's Encrypt issued Certificate on your fortigate?
Please share which ACME clients fail and with which Certificate Authorities.
Which ACME Client(s) do you use?
That changelog is referring to the ACME client built into FortiOS on FortiGate firewalls.
Ah. That makes me think that it's possible that the public DNS record was changed, and is now pointing at a system that isn't the one running the client. And maybe if there's a split-horizon-type internal DNS that hasn't changed, the users actually running the system wouldn't have noticed?
Just another wild guess to try looking at.
But with which ACME Certificate Authorities?
Let's Encrypt. I have gotten new certificates from them using an older version of FortiOS, but apparently renewals must not be affected by this bug, because I've been on this firmware version for a while and never noticed any issues until I tried to request a new certificate today.
Nothing changed in DNS or my NGINX reverse proxy configs. That's why I was so confused until now.
So could you try one of the other Free ACME Certificate Authorities in an attempt to understand if the issue is Let's Encrypt specific.
The FortiGate ACME client doesn't support external account binding (EAB), so the only one I was able to try is BuyPass. It failed with the following error:
None of offered challenge types for domain vpn.redacted.net are supported. The server offered 'http-01 dns-01' and available are: 'tls-alpn-01'.
So, this confirms that FortiOS has indeed switched the challenge method for new certificates to alpn-01 without telling anyone. Lovely.
So, for the record, this problem had nothing to do with a bad NGINX config.
This issue would seem, presently, to be in Fortinet, Inc.'s FortiGate's FortiOS ballpark!
Best of luck. 
Fortinet Support just told me
The bug seems to be fixed in v7.2.5 and it is scheduled to be released in late May.
Just a short wait.
@seanthegeek, what exact version of 7.2.4 are you running?
Using: v7.2.4 build1396 (Feature)
I was able to obtain a new cert today on a 60F [using http-01 authentication]
18.118.147.19 - - [20/Apr/2023:01:59:15 +0000] "GET /.well-known/acme-challenge/c7xn1o6QtipGkDQsOf8HbzzWSE_DVo-yJ84Wla-n3cU HTTP/1.1" 200 87 "http://[redacted]/.well-known/acme-challenge/c7xn1o6QtipGkDQsOf8HbzzWSE_DVo-yJ84Wla-n3cU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.209 - - [20/Apr/2023:01:59:16 +0000] "GET /.well-known/acme-challenge/c7xn1o6QtipGkDQsOf8HbzzWSE_DVo-yJ84Wla-n3cU HTTP/1.1" 200 87 "http://[redacted]/.well-known/acme-challenge/c7xn1o6QtipGkDQsOf8HbzzWSE_DVo-yJ84Wla-n3cU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.38.161.17 - - [20/Apr/2023:01:59:16 +0000] "GET /.well-known/acme-challenge/c7xn1o6QtipGkDQsOf8HbzzWSE_DVo-yJ84Wla-n3cU HTTP/1.1" 200 87 "http://[redacted]/.well-known/acme-challenge/c7xn1o6QtipGkDQsOf8HbzzWSE_DVo-yJ84Wla-n3cU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
@seanthegeek, can you share the TAC support ticket number?
8271701