I had same issue, Lets’ encrypt does the challenge on port 80. Easy to solve though. Your port 80 site must have 2 location directives, one for the challenge, and another for the redirect to https
server {
# SSL configuration
#
listen *:443 ssl http2;
listen [::]:443 ssl http2;
.........
}
server {
listen *:80;
listen [::]:80;
server_name mywebsite.com www/mywebsite.com;
# ACME Challenge Rule
location /.well-known {
alias /var/www/mywebsite.com/.well-known;
allow all;
default_type "text/plain";
autoindex on;
}
location / {
return 301 https://mywebsite.com$request_uri;
}
access_log /var/log/nginx/mywebsite.com-access.log;
error_log /var/log/nginx/mywebsite.com-error.log;
}
and I must give credit, I found the solution here - Cannot renew certs when redirecting http to https and all my renewals now work flawlessly using webroot