First, I am on a typo bonanza here... both:
listen 80 default_server;
...and:
.../live/michaeljinks.com
...both were correct on the host. I don't know why copy-and-paste doesn't like me lately. Carrying on:
To make sure we're clear: the goal in the main nginx.conf (repeat):
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
[...]
...really is to catch anything pointed at port 80, and change it to port 443, that's the point of that section: avoid sections receiving any non-secure traffic. Am I truly leaving out something that has to be there? This setup hasn't been causing errors (as far as I've seen) and it's been like that for some time. For instance, if I deliberately point at:
http://twork.sswormwood.com
...that gets redirected to the https version, no issues, and no section-specific entries in the main.
If that section of the nginx.conf base file really does need to change, then I'll need further hinting.
Moving on: with the "michaljinks.com" file set removed:
$ sudo certbot certonly --nginx --dry-run --cert-name michaeljinks.com -d michaeljinks.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for michaeljinks.com
The dry run was successful.
Keen? Next?
Much thanks.