Redirect all requests to HTTPS, except for one subdirectory

redirect http nginx https lets-encrypt

Try this:

server {
    listen  80;     
    server_name     sub.domain.tld;
    server_tokens   off;

    root /var/www/letsencrypt;

    location /.well-known {
        try_files $uri $uri/ =404;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

Since there was no try_files entry in your virtual server, it didn't know what to do with requests coming to /.well-known.

Related

SOA and Primary NS record (DNS)
Why don't NS records contain IP addresses?
SQL Server to SQL Server linked server setup
DNS: trailing periods
Apache .htaccess trick to authenticate only once for all subdomains?
How can I update the SmartArray P410i firmware on a DL360G6? The usual method via SPP Auto-Update fails
How to request/acquire all records from a DNS?
Accessing localhost (xampp) from another computer over LAN network - how to? [closed]
Mounting windows shares with Active Directory permissions
Can't change assigned key pair on amazon ec2 instance
I overwrote a large file with a blank one on a linux server. Can I recover the existing file?
How to log on MySQL on CentOS 6.3 using root account from the domain and not localhost?