Okay, yeah I’ve got misunderstandings of how HSTS works. I figured that once it was enabled then normal http was inaccessible. I see now that it’s more of a suggestion to the browser rather than a hard and fast rule.
I came across a post that shows how to view the site anyway in chrome, by telling it to ignore HSTS.
How To Bypass Chrome’s HSTS Warnings
Now I’ve created the .well-known/acme-challenge directory myself and thrown an empty test.txt file in there, and when I try accessing it from the browser I get a 404 too.
https://grantwinney.com/.well-known/acme-challenge/test.txt
Figured it out! 
The last section of my nginx config file, for listening to 443, had a small blurb about where to direct requests for .well-known:
location ~ ^/.well-known {
root /var/www;
}
I had to fix it to point to the correct directory. Made the change and reloaded nginx, then the certificate renewal worked just fine.
location ~ ^/.well-known {
root /var/www/ghost;
}