That would certainly explain why the tls-sni challenge didn’t work, at least.
Do you have more than one server behind the load balancer? If so, you might need to configure it to send requests for /.well-known/acme-challenge/* paths to a particular backend server, so that certbot can run on that server and be able to answer the challenges. If you can’t get the load balancer to do that, you could configure nginx on the other servers to proxy those requests to the server where certbot is running. Or if you have a shared mount for your web root, you could try the
--webroot plugin instead of
If you just have the one backend server, the problem might be due to some quirk of your nginx configuration that’s somehow incompatible with certbot’s configuration parser, in which case it would still be useful to see your nginx configuration.
Another possibility might be to allow the load balancer to obtain and install certificates by itself, which it appears Digital Ocean’s load balancers are able to do. This would save you the trouble of having to manually install the new cert to the load balancer after each renewal (or writing a script to do so). However you would have to move your DNS to Digital Ocean as well in order to take advantage of this. Also that wouldn’t (by itself) secure the connection between the load balancer and the droplet(s).