I believe Certbot checks to ensure the file is served before continuing, and it cleans up afterwards.
I think the issue is due to LetsEncrypt not being able to hit the domain via IPv6 routing. A lot of things could cause that. I would try dropping the host to IPv4 during setup if possible.
The first "fix" i would try, is just to ensure it's not an IPv6 issue by dropping that down to IPv4. Some ways to do that are in this thread:
If that doesn't work, the easiest way to handle this is to deal with 2 minutes of downtime and shutdown nginx, then run Certbot in "--standalone" mode on port 80. Certbot will bind to 80, run it's own server, and you can just copy the configuration from a working domain to this one -- referencing the correct domains.
You'll still need to address the cause of this (which i do think is ipv6 related; many people have similar issues) before renewal time - but dropping to ipv4 or running certbot in standalone mode should get your site secured in the interim.