A fresh Debian install. Nginx, LetsEncrypt/certbot, and a script in /etc/cron.monthly with a renew-hook to reload nginx. Still, my certificates would expire. At the same time, the cron output tells me 'The certificates are not yet due for renewal'.

systemd: certbot.timer

Apparently, there are systemd service and timer files for certbot. I might have missed these because my previous setup was based on earlier versions of LetsEncrypt not installed via apt.

The certbot.timer will check whether certificates need renewal twice a day. This means by the time the monthly cron is run, the chances renewals are necessary are pretty, pretty slim. Result: the renew-hook is never executed, and thus nginx is never reloaded.

solution: /etc/letsencrypt/cli.ini

Define the hooks in /etc/letsencrypt/cli.ini. That way, they will be run regardless whether it's cron renewing, or systemd, or yourself via a manual certbot renew:

renew-hook = systemctl reload nginx.service
post-hook = systemctl reload nginx.service

Test whether the hooks are actually called using certbot renew --dry-run, and you should be good to go!