LetsEncrypt HTTPS nginx and systemd service for Jupyter Notebook?

Question

I get no errors in neither /var/log/nginx/{access,error}.log nor the journalctl for jupyter and nginx. Putting it all in an HTTP block works, HTTPS the website never loads (I tried curl -Lvvv 'http://DOMAIN_NAME' and the redirect worked but then timeout)

---

Starting with latest nginx from apt official mirror http://nginx.org/packages/ubuntu, I manually configured LetsEncrypt and the dhparams and nginx-options like so:

$ python3 -m venv venv
$ venv/bin/python -m pip install certbot
$ sudo systemctl stop nginx
$ venv/bin/certbot certonly --standalone --agree-tos \
                            -d '[DOMAIN_NAME]' -m '[EMAIL]'
$ base_url='https://raw.githubusercontent.com/certbot/certbot/master/certbot'
$ curl --proto '=https' --tlsv1.2 -sSf \
  "$base_url"'/certbot/ssl-dhparams.pem' \
   -o '/etc/ssl/certs/ssl-dhparam.pem'
$ curl --proto '=https' --tlsv1.2 -sSf \
  "$base_url"'-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf' \
  -o '/etc/letsencrypt/options-ssl-nginx.conf'
$ # Add `nginx service conf` and `jupyter_notebook.service` from below
$ systemctl start nginx

/lib/systemd/system/jupyter_notebook.service

[Unit]
Description=Job that runs the jupyter_notebook daemon

[Service]
User=VIRTUALENV_USER
Group=VIRTUALENV_GROUP
Environment=VIRTUALENV=VIRTUALENV_BIN
 Environment=PYTHONPATH=VIRTUALENV_BIN
WorkingDirectory=/MY/NOTEBOOKS/DIR
ExecStart=VIRTUALENV_BIN/jupyter notebook --no-browser \
          --NotebookApp.port=8000 \
          --NotebookApp.notebook_dir=/MY/NOTEBOOKS/DIR \
          --NotebookApp.local_hostnames DOMAIN_NAME \
          --NotebookApp.allow_origin DOMAIN_NAME \
          --NotebookApp.password_required=True \
          --NotebookApp.password argon2:$argon2id$v=19$m=1024<omitted>

[Install]
WantedBy=multi-user.target

/etc/nginx/sites-enabled/DOMAIN_NAME.conf

Add include /etc/nginx/sites-enabled/*.conf; within the http block of nginx.conf then add this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    server_name DOMAIN_NAME;

    return 302 https://$host$request_uri;
}

server {
    listen 443 ssl;

    server_name DOMAIN_NAME;

    ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;

    ssl_dhparam /etc/ssl/certs/ssl-dhparam.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Scheme $scheme;

        proxy_buffering off;
    }

    location ~ /.well-known {
        allow all;
    }
}

I've also tried adding these blocks within the server block:

    location ~ /api/kernels/ {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade "websocket";
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 86400;
    }

    location ~ /terminals/ {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade "websocket";
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 86400;
    }

---

PS: I've scripted this entire process but posting here so you can follow along without my automation process.

What am I doing wrong?