Sure, no problem. The nginx plug-in briefly does:
- Modify the nginx conf to respond to the authentication challenge.
- Reload nginx:
nginx -c /etc/nginx/nginx.conf -s reload - Request/get cert which has LE servers sending challenge
- Remove the nginx conf updates from step 1
- Reload nginx again to remove updates and pickup new cert
A problem can occur if the reload in step 2 fails (or I suppose step 5 too but if it worked in step 2 it should work in step 5).
When the reload fails certbot tries to start nginx but does not use systemd. Instead, it does nginx -c /etc/nginx/nginx.conf. There is now an nginx that systemd is not aware of so you cannot control it as you'd expect.
Now, why might the reload fail? There may be various reasons but the two most common are:
- nginx was not running when you started certbot (can't reload if not running)
- enabling perl in nginx can sometimes cause a segv fault during reload
The thread below has comments from a certbot dev with more details. It is long and involved. That was my first experience with this, um, quirk 
Since then I've personally dealt with a handful of cases.
@_az In that thread you said you'd try to see about using systemd. Have you evaluated that yet?