Currently there is a generated file in /etc/nginx/ploi/:domain/server/disable-basic-auth-well-known.conf:

# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/ {
        auth_basic off;
}

The problem with this is that when this location block matches (for all /.well-known/) it can only serve static files, this is fine for Let's Encrypt of course but not if you want your application to handle files in the .well-known directory.

Instead this snippet should be changed to:

# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
        auth_basic off;
}

This ensures the acme-challenge directory is unprotected but other folders/locations in .well-known can be handled by other location blocks.

This allows doing things implement /.well-known/change-password for password managers or a dynamic /.well-known/manifest.webmanifest etc.

Would be greatly appreciated if this change can be made for new sites since it's a royal PITA to change this myself for every site created.