I was able to reproduce your problem. When Let’s Encrypt generate a certificate, the certbot agent generate a file in http://domain.tld/.well-known/acme-challenge/long-random-name and the Let’s Encrypt servers try to communicate with this URL in HTTP on 80/TCP port.
If both IPv4/IPv6 of domain.tld are available, Let’s Encrypt will always prefer the IPv6 address.
In the /etc/nginx/sites-enabled folder, we can find 2 configuration files with these directives:
nginx-passbolt.conf:
listen 80;
default.conf
listen 80 default_server;
listen [::]:80 default_server;
It means the passbolt configuration file listen “only” on IPv4 and the default one listen on both IPv4/IPv6.
I can propose to you to add a line listen [::]:80 before the listen 80 line on /etc/nginx/sites-enabled/nginx-passbolt.conf file.
Then you should be able to generate your certificate. Let us know if it fixes your issue, we will update the nginx configuration file.
Regards.