A "renewal" is actually just another new one.
There is no way to make even the tiniest of modification to a cert.
Any change requires a new cert.
"renewal" is just for humans to "understand" the process.
When your credit card expires they issue you a new one.
You can think of it as renewing the previous card, but the truth is they are two completely independent cards [sometimes even the entire number can change].
In that same sense, certs change just as completely.
Then you insure nginx is using the latest live paths.
Then you can restart nginx.
Your forced issuance uses certonly.
That will NOT install the cert, nor make any nginx modifications for you.
[most are already in place from previous installs - you only need to confirm/update the cert paths]
Both are done and the certs have been updated for the 3 month window! Thank you so much for everything. I'm the devops engineer here so I have to read the Certbot/LetsEncrypt documentation to bone up on this. This community is amazing!