Hi - thank you so much for the suggestions. We've been working feverishly to get this back up & running and like you point out, we did eventually get a certificate through a roundabout process -- we cloned the VM, brought a copy up in a different network environment, renewed our certificates, and then brought the renewed snapshot back into the original environment -- but the original environment is not set up correctly.
I noticed the curl response oddities as well, and it seemed to be a firewall issue but we could not find the actual problem. It's an Ubuntu VM (we checked iptables and ufw, both seemed fine, and we disabled SentinelOne for the purposes of our test) running on Azure (we checked the network gateway there, as well as Azure firewalls) and managed by a third party which runs a Palo Alto firewall on top of everything else. We'll need to figure out exactly where the issue is in order to renew for next time.
This was additionally complicated for us by the fact that the nginx instance in question is packaged with an older version of gitlab, and the nginx config file and logs were not in the usual location.
If we find another lead or the solution we will make sure to post it here, and thank you again for your help!