I can get worried if renewal will work properly, so I ended up with command:
certbot certonly --dry-run --nginx -d my.domain
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Simulating renewal of an existing certificate for my.domain
The dry run was successful.
it did not modify mentioned nginx.conf. What is proper command to make sure renewal will work?
I have tried to remove "--dry-run" from the command and it apparently renewed the cert.
Not exactly sure what you are asking. The --dry-run you used is just a test using the Let's Encrypt staging system. It does not affect your existing production certs or your server config.
Further, you used certonly which only gets a cert and does not modify your server config.
That said, your original command should work just fine with the automated renew. I am nearly certain the renew command does not make permanent changes to your server config. @Osiris would know for certain about that.
Note if you added a listen for IPv6 in port 443 server block you should probably add the same in your port 80 server block. And, I don't know why you need to designate that the default. Normally relying just on SNI is sufficient but if you have your reasons then never mind
And I'd recommend also testing this renewal by using the same renew command as planned plus the --dry-run option. Suddenly using certonly for no good reason only complicates things.
