If your goal is to get an additional TLS certificate (separate from the one automatically issued by SSL It! in Plesk), you won’t be able to use the normal webroot ACME challenge, because as you noticed nginx blocks direct access to `/.well-known/acme-challenge/`.
A few alternatives you can try:
- Use the **DNS-01 challenge** instead of HTTP-01. Let’s Encrypt supports this, and it doesn’t depend on webroot access.
- If you only need the cert for client-side authentication, you could generate it via certbot or acme.sh on your local machine and then import it into Plesk.
- Or simply rely on the default Let’s Encrypt certificate managed by SSL It! for the domain, since it’s already trusted by browsers/clients.
If you don’t have a VPS, the easiest and most reliable approach is probably **DNS-01 validation** through your domain’s DNS provider. That way you can still issue a valid cert without touching nginx config.
Hope this clears things up a bit!