After buying / getting certificates for a number of years for this site i've recently moved to letsencrypt.

One of the biggest issues I found in setting it up was that certbot needed to create the well known artefact over a non secure connection. This makes sense so not to be in a chicken and egg scenario.

The answer in the end was to split off the secure and non secure requests into two nginx server blocks. this then allowed the following to be aliased.

location /.well-known {
    root /var/www/tls;

The alias is important as the file can't be created by node and needs to look like it's part of the site. In effect is running node and is a standard web folder.