How can I bootstrap certbot on a hard-redirecting https domain?

This example uses a static root instead of an application. Replace the location / block in the HTTPS section as appropriate...

1) Create conf file (note that ssl_certificate lines are commented out)

server {
    # naive redirect of HTTP to HTTPS
    server_name example.com;

    listen *:80;
    listen [::]:80;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/letsencrypt;
    }

    location / {
        return 301 https://example.com;
    }
}

server {
    # main server block
    server_name example.com;

    # SSL configuration
    listen 443 ssl;
    listen [::]:443 ssl;
    # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    root /var/www/html;
    index index.html index.htm;

    location / {
        # replace this with directives for your application
        try_files $uri $uri.html $uri/ =404;
    }

}

2) Run certbot

certbot certonly --authenticator webroot --webroot-path /var/www/letsencrypt -d example.com

3) Update conf file. Uncomment ssl_certificate lines:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

4) Restart nginx

service nginx restart

5) Test renewal (with force-renewal, not dry-run)

certbot renew --force-renewal

6) In 90 days, renew as normal...

certbot renew