No. The listen statements should look like below. I also added items in your HTTP server block to handle the --webroot method you are now using. It looks like you made significant changes to your nginx config after getting the original cert for your certbot renew to now fail like it does.
server {
listen 80;
listen [::]:80;
server_name rpiweather.net www.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/rpiweather.net;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name rpiweather.net www.rpiweather.net;
root /var/www/rpiweather.net;
index index.html;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
Also, why do you even have this line? Your certbot renew did not use the --nginx plugin installer so you would never have gotten this file. And, Certbot never would have placed this line in your nginx config.
Do you have ssl options configured somewhere else? Such as ssl_ciphers, ssl_protocols, and so on?
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot