Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Edit: I’m going to bed, but if it’s sitting in front, it might be helpful to post your full Varnish VCL to check whether the request is making it to nginx unmolested.
The additional option tells certbot to use port 8080 to complete the challenge; it won’t make any difference to the CA which will still connect on port 80, but hopefully varnish will proxy it to the correct place.
It’s also worth noting that varnish doesn’t natively support HTTPS, so when certbot automatically configures nginx to enable HTTPS on port 443, that will be nginx listening directly on port 443, bypassing varnish. If you want to keep varnish involved, you could configure nginx with a separate server block on port 443 that just proxies back to varnish on port 80 (this example may help), which in turn proxies back to the original nginx backend on port 8080. I’ve done something similar with Apache but it was on a fairly low-traffic site so I don’t know how it holds up under load.
Also, Drupal 7 tries to guess whether it’s running on HTTP or HTTPS so that it can generate URLs correctly for stylesheets etc, but if it’s behind a proxy it can guess wrong and leave your site looking like the theme is broken. The fix I usually use is to add something like this to settings.php:
(this depends on the X-Forwarded-Proto header that’s added to the nginx proxy config in the example I linked above). Alternatively you can set $base_url to the HTTPS version of your site, which works just fine in most cases.
If the above does not help then please share your full varnish vcl and the relevant nginx configuration
So you might have better luck with