To enable domain authentication via acmetool nginx should always an unsecure default server which proxies .well-known/... to acmetool and otherwise rewrites requests to HTTPS

roles/service-nginx/tasks/nginx.yml

@@ -9,3 +9,16 @@
 - name: ensure nginx ssl parameters are installed
   copy: src=ssl.conf dest=/etc/nginx/ssl.conf
   notify: reload nginx
+
+- name: Ensure unsecure default configuration is up to date
+  template:
+    src: nginx_unsecure_default.conf.j2
+    dest: /etc/nginx/sites-available/unsecure_default.conf
+
+- name: Ensure unsecure default configuration is enabled 
+  become: yes
+  file: 
+    state: link
+    dest: /etc/nginx/sites-enabled/unsecure_default.conf
+    src: /etc/nginx/sites-available/unsecure_default.conf
+  notify: Reload nginx

roles/service-nginx/templates/nginx_unsecure_default.conf.j2

@@ -0,0 +1,16 @@
+server {
+  listen          [::]:80 default_server;
+  listen          80 default_server;
+  server_name     _;
+
+  access_log off;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+
+  location /.well-known/acme-challenge/ {
+    include           proxy_params;
+    proxy_pass        http://127.0.0.1:402;
+  }
+}