Oh, I missed that! Yes, I think the script's use of
--deploy-hook is appropriate.
@kali, the idea of the
--deploy-hook is that usually
certbot renew will not renew your certificate (because it will decide that your certificate has enough validity time left that it doesn't need to be renewed yet)—so
--deploy-hook provides a script that Certbot runs only in the minority of cases where the certificate was, in fact, renewed. Whatever actions need to be taken in that case can be specified there.
If you put something like
service nginx reload in the cron task, then nginx would be reloaded whenever the cron task runs, even if it was unnecessary because no certificate renewal took place.
The Certbot developers intended for
certbot renew to be run very often (twice per day is suggested!), because it doesn't attempt renewals until it's "necessary". That way you don't have to choose a time to schedule your renewal for; the renewal schedule is based on the current certificates' expiration time rather than on a schedule manually chosen by the user.