Alex Gleason (npub1q3s…d26p) looks like that clever compound or statement in the sample nginx config doesn't play well with certbot handling SSL from nginx. had to break down the location filter of .well-known/(nodeinfo|nostr.json) into seperate ones, and roll in the acme-challenge & pki-validation into another one below it.
I'll find out in an hour and see if i can renew my cert...