Check root-owned Let's Encrypt certificates through sudo and use a boolean nginx SSL guard, preventing HTTPS stages from being rewritten as HTTP-only during bootstrap.