I’ve tried disabling IPv6 entirely (after re-running the configuration script and seeing the link-local address happily added as a “public” IPv6 address), but I still see the same behavior. At this point, plenty of time should have passed for DNS propagation since removing the IPv6 address, so I doubt the problem is Let’s Encrypt timing out trying to access the box via IPv6 (and then also not falling back to IPv4).
I do see the following in /var/log/nginx/error.log (IPs and domains changed, of course, though all are correct):
2017/12/21 18:56:17 [error] 9354#0: *33 upstream timed out (110: Connection timed out) while reading response header from upstream, client: X.X.X.X, server: mail.example.com, request: "POST /admin/ssl/provision HTTP/1.1", upstream: "http://127.0.0.1:10222/ssl/provision", host: "mail.example.com", referrer: "https://mail.example.com/admin/"
What would be running on port 10222? (Edit: I gather this is the mailinabox management daemon; still trying to figure out how to see what’s going wrong there.)