A fresh Debian install. Nginx, LetsEncrypt/certbot, and a script in
/etc/cron.monthly with a renew-hook to reload nginx. Still, my certificates
would expire. At the same time, the cron output tells me 'The certificates are
not yet due for renewal'.
Apparently, there are systemd service and timer files for certbot. I might have missed these because my previous setup was based on earlier versions of LetsEncrypt not installed via apt.
The certbot.timer will check whether certificates need renewal twice a day. This means by the time the monthly cron is run, the chances renewals are necessary are pretty, pretty slim. Result: the renew-hook is never executed, and thus nginx is never reloaded.
Define the hooks in
/etc/letsencrypt/cli.ini. That way, they will be run
regardless whether it's cron renewing, or systemd, or yourself via a manual
renew-hook = systemctl reload nginx.service post-hook = systemctl reload nginx.service
Test whether the hooks are actually called using
certbot renew --dry-run, and
you should be good to go!