The ACME spec says that http validation should be done via http, not https.

nginx/nginx.conf.default

@@ -26,8 +26,19 @@ http {
 
     server {
       listen 80;
-      listen 443 ssl;
       listen [::]:80;
+
+      location /.well-known/acme-challenge {
+        proxy_pass http://admin:8081;
+      }
+
+      location / {
+        return 301 https://$host$request_uri;
+      }
+    }
+
+    server {
+      listen 443 ssl;
       listen [::]:443 ssl;
 
       # TLS configuration hardened according to:
@@ -43,10 +54,6 @@ http {
 
       add_header Strict-Transport-Security max-age=15768000;
 
-      if ($scheme = http) {
-    		return 301 https://$host$request_uri;
-    	}
-
       # Load Lua variables
       set_by_lua $webmail 'return os.getenv("WEBMAIL")';
       set_by_lua $webdav 'return os.getenv("WEBDAV")';
@@ -93,9 +100,5 @@ http {
           return 403;
         }
       }
-
-      location /.well-known/acme-challenge {
-        proxy_pass http://admin:8081;
-      }
     }
 }