Ah! I knew I was forgetting something: much like that dude living in a cave in Lost, I have to SSH into that server and HUP nginx every ~80 days, as the user that does the certificate renewal isn't the same user that runs nginx.
One day I'll overengineer something to solve this, but for the meantime it's "ssh statichost -- sudo kill -s HUP 947" every so often. Thanks for reminding me, much appreciated!
