I think there's one or two things off with this section, and the other equivalent ones. Try:
location /.well-known/acme-challenge/ {
root /var/www/heartyk9s.ca/html;
}
location / {
return 301 https://heartyk9s.ca$request_uri;
}
... and the equivalent derivatives in your other server blocks.
"/.well-known'" could be a minor problem. It covers any other files or subdirectories you might add to /.well-known/ in the future.
More critically, because the "return" directive is in the top level of the server block, i think the location block is effectively ignored.
Therefore, the requests to http://heartyk9s.com/.well-known/acme-challenge/ and http://www.heartyk9s.com/.well-known/acme-challenge/ go to https://heartyk9s.ca/.well-known/acme-challenge/, which has a different root configured, and the files can't be found.
(For the heartyk9s.ca sites, the redirect is harmless, since the HTTP and HTTPS versions would have the same root anyway.)
Those two server blocks are missing ssl_certificate and ssl_certificate_key directives (and your other SSL settings, of course). Nginx will be unhappy about that; you'd need to either add certificates (even if they're self-signed or for another domain or something) or disable those server blocks.
They're not related to the renewal. Does error.log have anything else within a second or two of the timestamps in access.log?
Thoguh it doesn't matter if i have figured out what was wrong.