Turns out digging in for better context quickly led me down the right path; it was due to "ACME server returned an error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Validations for new domains are disabled in the V1 API (End of Life Plan for ACMEv1)". Adding a patch for letsencrypt-nginx-proxy-companion did the trick. 
2 Likes