Certbot has what's called "authenticator" plugins, and "installer" plugins:
- "Authenticator" plugins automatically configure your webserver to perform challenge validation for issuing certificates.
- "Installer" plugins add your certificates to your webserver, once Certbot has issued them. It also configures things like ciphersuites based on current practices (which are based on Mozilla's recommendations).
As the admin of your webserver, you can make a choice about whether you want Certbot to perform the installation of your certificate, or whether you want to do it yourself.
When you run certbot --nginx, that is really saying certbot --authenticator nginx --installer nginx: do both for me.
You can get Certbot to do only the authenticator part, and to leave the configuration of the SSL certificates and settings to you: certbot certonly -a nginx.
In your case, it sounds like you made it do both, when you only wanted the authenticator part.
In your current situation, I believe you should just modify /etc/letsencrypt/options-ssl-nginx.conf to your liking, and remove the redundant settings from nginx.conf. Or you can comment out/truncate the contents of that file, and keep your nginx.conf settings. Either way is fine.
Certbot will avoid overwriting that file if it detects that it has been modified at all. It does this by only updating it if it exactly matches a previous version that shipped with Certbot.