Success!! 
Thank you to you all for teaching me…the internet. It’s all a good reminder as to why I pay for Anvil.
In addition to Ryan’s tutorial, I did the following two things:
- adjusted my VM’s firewall settings so that port 443 was open.
sudo ufw allow ssh
sudo ufw enable
sudo ufw allow 443
- As recommended by letsencrypt, I got myself a certificate from certbot by following their instructions:
sudo snap install core
sudo snap refresh core
sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone
After running the certbot commands, I got the following reassuring print out:
Congratulations! Your certificate and chain have been saved at:
…
Your key file has been saved at:
…
Your certificate will expire on … To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run “certbot renew”
I believe that those were the two factors that were interacting to thwart my efforts.
Thank you to @owen.campbell, @Tony.Nguyen, and @robert for all of your helpful pointers.