To more transparently support Let's Encrypt and the acme-challenge for http, here is a config that can be used with nginx. In the case all traffic showing up as HTTP gets redirected to HTTPS, it's easiest to respond to challenges without the redirect.



server {
        server_name www.yes-www.org yes-www.org www.yes-www.com yes-www.com;

        listen [::]:80;
        listen 80;

        location /.well-known/acme-challenge/ {
            root /var/www;
            try_files $uri =404;
        }

        access_log off;

        return 301 https://$host$request_uri;
}

This appeared on serverfault literally as above. I modified it slightly to strip the initial path part of the URL off with a rewrite, change the location part of above to this:

    location /.well-known/acme-challenge {
      root /acme-challenge;
      rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
      try_files $uri =404;
    }

Then the challenges will end up in the /acme-challenge directory without a substructure (.well-known/acme-challenge), so when configuring dehydrated:

WELLKNOWN=/acme-challenge

My usual mode of testing this kind of config is to echo hello > /acme-challenge/foo.txt and then use curl http://domain.io/.well-known/acme-challenge/foo.txt and if you see hello then you should be good to go.