I ran this command: letsencrypt --nginx -d www.lyra.foundation -d lyra.foundation
It produced this output: Produced a fullchain.pem all fine.
My web server is (include version): nginx
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: It's a 128 GB RAM 12 Core Scaleway Bare Metal
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0
I wouldn't dare to assume DNS for new gTLDs to be the problem, since another .org domain doesnt work either.
The only thing I can think of, is that all domains that don't work have in common that the certificate fot www. was requested before the @ domain, (www.lyra.foundation before lyra.foundation) and nginx includes /etc/letsencrypt/.../www.lyra.foundation rather than lyra.foundation
I didnt check if there is a fullcert.pem for each specific hostname, and my knowledge of HTTPS lacks the detail whether a single fullchain.pem can support www. and @
You can simply tap on the text without hitting "Details" (title or text, doesn't matter, as long as you miss the "Details" link). Then, the text changes and a link with "Certificate information" is shown, which can be tapped/clicked.
It then shows the end leaf certificate of the site presented to the browser and at the top there's a pull-down menu for the chain.