Does it support the https-only method of validation? 'cuz almost all clients expect port 80 to be used (or DNS), and I totes can't do the former.
Nope, must be port 80. I guess you need to prove you have complete access to the port 80 pipeline on a server, you can't just hack in and open a little listener on some userland port.
Besides, I'm not restarting nginx, I use the reload config command.
Hmm, I think I misunderstood what you were doing. I thought you were bringing nginx down to get the new cert, like in a certbot standalone mode...