Thanks for the suggestion! That is also doable with Nginx's SSL pass-through. However, that is still vulnerable to the VPS provider obtaining a certificate. But indeed, it does appear that a combination of redirecting encrypted traffic (SSL passthrough or iptables) with cert monitoring appears to be emerging as a solution.
BTW, I prefer SSL pass-through over iptables, because I do keep one endpoint on the VPS and that's my static website which also needs a cert. With SSL pass-through I can terminate connections to the static website while redirecting all other connections as it can pre-read the destination domain. With iptables I would need two IP addresses to distinguish the connections.