@daolt Certbot has always had some trouble with the fact that the configuration language for nginx is not really fully specified anywhere. Therefore it can be difficult for Certbot to predict exactly what can or cannot occur inside of an nginx configuration file.
Although it is technically a bug in Certbot if it doesn’t accept the same configuration files that nginx itself does, this can be hard to fix in a general way without a specification from nginx about exactly what we should accept as valid. I’m not sure that Certbot will be able to offer a fix to this issue anytime soon.
In this case, your configuration is describing how to detect certain malicious web requests that should be rejected as possible attacks against your server. A workaround could be to describe the \u201c quote character in some other way in the configuration rather than presenting a UTF-8 encoded copy of that character. In this case it appears as part of a character class in a regular expression pattern, and probably the regular expression library has some other way to refer to this character with an escaped form. If you don’t know how to do that, you might want to ask the person who wrote this security rule to help create a pure-ASCII equivalent form.