Okay, lets talk a few things. Ill try to take it easy to start with.

- You are trying to use nginx as a reverse proxy in front of your haven relay correct?

- You are wanting to issue a new SSL certificate for the new subdomain?

- You are using certbot with the nginx plugin (nginx mode) to issue a new cert using the defaults?

So tell me.

- Are you on ubuntu 24.04 or later?

- Did you install the repository for nginx or use the default apt (canonical ubuntu repos)?

A few things are possible.

- Certbot and nginx are horribly outdated depending on your versions

- Your A record has not propagated to the servers that certbot (letsencrypt) are using to resolve your domain

- Your not using the correct plugin when stepping through the guide

- Your firewall or other security related things might be blocking letsencrypt server's traffic

I would

1. use a dns resolution tool (your dns provider might have a link to one) to ensure your A record has propagated throughout the world, it will take some time for all dns servers to find it

2. Ensure your are using the nginx plugin when using certbot (not acme, or other challenge based)

3. [bonus] Consider adding the nginx repository from the nginx website and install the latest stable version directly from nginx. Just add the repo and run apt update and it should offer you an upgrade

4. [bonus] Consider using a CNAME to your main domain if it's on the same IP instead of an A record. So it's aliased and less likely to mess you up in the future.