If you configure your Nginx to redirect all http traffic to https, it might interfere with letsencrypt renewal. Example:

server {
        listen 80;
        listen [::]:80;
        return 301 https://$host$request_uri;
}

You will get a message such as the following when the renew is executed:

Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response 

This is caused by the renewal authorization file (located at /.well-known/acme-challenge) is not accessible in http protocol. You can add a special location block to walk-around this.

server {
        listen 80;
        listen [::]:80;
        location /.well-known/acme-challenge/ {
                root /path/to/app/public;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}

Note that the path to app public directory needs to match with your renewal conf file. The conf file is located at: /etc/letsencrypt/renewal