Yeah, this should work:
http://example.com {
handle /.well-known/acme-challenge/* {
reverse_proxy <your-upstream>
}
handle {
redir https://{host}{uri} 308
}
}
example.com {
respond "https"
}
You need that 2nd handle to preserve the HTTP->HTTPS redirects