Seems like if you have a NodeJS app running that is proxied to / then Let's encrypt will fail at it's callbacks when issuing a certificate.
Temporary moving it to /test or something will make Lets' Encrypt work. Then moving it back.
Not sure how this will affect renewals.
