Certbot having problems finding my ACME challenge on nodejs web application

Question

I have a NodeJS web service which is exposed with a reverse-proxy using Nginx. I am trying to renew an SSL certificate from certbot, and for renewal it looks at domain.com/.well-known for the ACME challenge. However, the way I have the node service configured is that the root path does not serve files, the root of the domain is caught and handled by my web service. My actual public webroot is at domain.com/public, so the ACME challenge is really at domain.com/public/.well-known

So there are two ways to fix this, I could figure out how to tell certbot to look at domain.com/public/.well-known instead of domain.com/.well-known, or figure out how to somehow "proxy" domain.com/public/.well-known to domain.com/.well-known.

Here is my config and failed attempt at redirecting it:

server {
    listen 80;
    listen 443 ssl;
    client_max_body_size 50M;
    ssl_certificate <path to cert>;
    ssl_certificate_key <path to key>;
    server_name domain.com;
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
    location /.well-known {
        return 302 "http://{$host}/public{$request_uri}";
    }
}

Answer 1

If you cannot use path based (HTTP) domain validation, you can use DNS based domain validation.

certbot certonly --manual --preferred-challenges dns -d mydomain.com

This will prompt you to add a TXT record to your domain's DNS server. Add the record and then wait a few minutes before pressing ENTER to continue.

The copy the new certificates to your desired location.

Certbot User Guide