The SSL/TLS certificate for the forums expired, so I SSHed in (not before having some issues with the VPN though - turns out you need to sudo f5fpc…) and fixed it. For future reference, I thought I’d document it here.
In short, this stackoverflow answer gave the crucial clue. When I did sudo systemctl restart nginx; sudo systemctl status nginx, I saw a warning like this:
nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
I saw this as significant because when running sudo certbot renew --nginx manually I saw this:
nginx: [error] invalid PID number "" in "/run/nginx.pid"
As the answer says, adding a sleep of 0.1 to an override configuration file to force it to wait a bit longer when starting nginx causes it to wait long enough that nginx has started enough to allow it to pull out the PID correctly.