Please tell me how to write Let's encrypt's nginx directive



I use Plesk onyx to run the server and install Nextcloud on it. I have no problem with normal operation, but I am having problems with monthly update of Let’s Encrypt’s certificate. I can not update smoothly first. I am updating it by invalidating SSL or emptying the nginx directive.

This problem was introduced at the Plesk site.

Additional nginx directive is blocking communication between website and Let’s Encrypt issuing servers.

I only describe the contents introduced in the Nextcloud manual in the nginx directive.

The following is not written in manual.

location ~ /\. {
deny  all;

I added the following content that is being introduced to the nginx directive, but update still fails.

location ~ /\.(?!well-known).* {
deny all;

This is probably a problem unique to Plesk. Is it related to the transition from http to https?
I run two other sites within the same Plesk. Since there is a very simple state, I can update the certificate without any problem. When updating fails, I can not access files in .well-kown/acme-challenge/.

Once I update it I will revert the environment. After a while I can update the certificate without problems. Then as I approached the renewal deadline date, I can not renew when I try to update manually.

location ~ /\.(?!well-known).* {
deny all;

How can I process the above for Nextcloud? If you are using Nextcloud and Let’s Encrypt with Plesk, please tell me how to automatically renew certificates.


With “deny all” you achieve the complete opposite of what you want.

My nginx config reads (just as an example):

# ACME challenge
location ^~ /.well-known {
    allow all;
    alias /var/lib/letsencrypt/.well-known/;
    default_type "text/plain";
    try_files $uri =404;
location ^~ /.well-known/acme-challenge/ {
    allow all;
    alias /var/lib/letsencrypt/.well-known/acme-challenge/;

The other option you have, to successfully complete the acme challenge, is via DNS. If you are able to modify your DNS settings automatically (there are some DNS providers who allow that), you could switch to that challenge as well:


Thank you!
I will try to adjust like that. I need to wait until the next update time in order to know if there is no problem with setting.