Okay, so after a few hits and misses I finally got everything working okay, after installing certbot, but still have a couple of questions.
a) So, I believe I can just let cron take care of doing certbot auto-renewals for the domain in question, and did the dry-run test successfully. I just want to be certain that I don't manually need to add anything to my crontab, given:
$ systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Thu 2020-10-01 10:33:00 EDT 58min left Wed 2020-09-30 14:10:00 EDT 19h ago snap.certbot.renew.timer snap.certbot.renew. Thu 2020-10-01 15:06:44 EDT 5h 32min left Wed 2020-09-30 15:06:44 EDT 18h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-cl Fri 2020-10-02 00:00:00 EDT 14h left Thu 2020-10-01 00:00:01 EDT 9h ago unbound-anchor.timer unbound-anchor.serv
(i.e. the top line with the snap.certbot.renew.timer should take care of everything, right?)
b) I get the browser padlock on all pages of the domain (except maybe a couple with mixed content I haven't yet got to fixing), and https://www.whynopadlock.com/ passes everything okay, but with one exception, which is:
You have an invalid or missing intermediate (bundle) certificate. This may not break your padlock on all browsers, but will on others. Please contact your SSL Vendor for assistance with this error.
Is this something that somebody can point me in the right direction with please? Thank you!