LetsEncrypt

nginx server block is configured for subdomain 
server {
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

here our applcation deny access to /.well-know/acme-challenge route. That's why letsencrypt also cannot get access to this route for granting cert to subdomain

solution:
sudo echo hi > /var/www/letsencrypt/.well-known/acme-challenge/hi
then add to subdomain nginx server block

location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  rewrite /.well-known/acme-challenge/(.*) /$1 break;
  root /var/www/letsencrypt;
}
Ozal Zarbaliyev