Perfect — this output actually tells us exactly what state your server is in.
Nothing is “mysterious” anymore. You are in a Certbot deadlock caused by an invalid Nginx config.

I’ll walk you through the only correct recovery sequence used in production.

What Is Happening (Root Cause — confirmed)

Certbot cannot run because:

listen 443 ssl;

exists WITHOUT these two directives in the same server block:

ssl_certificate
ssl_certificate_key

Because of that:

• nginx -t ❌ fails

• Certbot nginx plugin ❌ refuses to run

• Certbot cannot generate or reattach certs

• You are stuck in a loop

This is expected behavior per Nginx & Certbot design.

📚 Official references:

• Nginx SSL requirement
  https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

• Certbot nginx plugin behavior
  https://certbot.eff.org/docs/using.html#nginx

The ONLY Correct Recovery Path (Production-safe)

We must do this in 2 phases:

PHASE 1 — Make Nginx VALID (temporarily HTTP only)

Goal: make nginx -t pass so Certbot can work

1️⃣ Edit the broken config

sudo nano /etc/nginx/sites-enabled/api.ghumio.com

2️⃣ TEMPORARILY replace it with THIS (HTTP ONLY)

server {
    listen 80;
    server_name api.ghumio.com;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

❗ Important
There must be NO listen 443 ssl anywhere right now.

3️⃣ Test & reload Nginx

sudo nginx -t
sudo systemctl reload nginx

Expected:

syntax is ok
test is successful

📚 Why this is required:
https://nginx.org/en/docs/beginners_guide.html#control

PHASE 2 — Reinstall SSL cleanly using Certbot

Now Nginx is valid → Certbot will work.

4️⃣ Run Certbot again

sudo certbot --nginx -d api.ghumio.com

Certbot will:

• Create certificates

• Inject ssl_certificate lines

• Add HTTPS server block

• Add HTTP → HTTPS redirect

• Recreate options-ssl-nginx.conf

📚 Certbot nginx automation:
https://certbot.eff.org/docs/using.html#nginx

5️⃣ Verify files now exist

ls -l /etc/letsencrypt/live/api.ghumio.com/
ls -l /etc/letsencrypt/options-ssl-nginx.conf

6️⃣ Final test

sudo nginx -t
sudo systemctl reload nginx

PHASE 3 — (Optional) Re-apply API hardening

Now you can safely edit HTTPS config to add:

• /api/ no-cache

• rate limiting

• HTTP/2

• WebSocket headers

Because SSL is now valid again.

📚 Safe post-Certbot editing:
https://nginx.org/en/docs/http/configuring_https_servers.html

Why This Is the Only Correct Fix

AttemptWhy it failedCertbot reinstallNginx config invalidManual cert reusessl_certificate missingReload nginxSSL contract violatedRenew dry-runCertbot blocked by nginx

This two-phase reset is the documented, production-safe solution.

Final Validation Checklist

After everything:

sudo nginx -t
curl -I https://api.ghumio.com
sudo certbot renew --dry-run

Expected:

• HTTP/2 200

• No nginx errors

• Certbot renewal succeeds

Final Verdict

1. ✔ Your app is fine