I use the following to update my certs.
I have one cert with multiple subdomains making it easier to manage. I run on CentOS 7 and my script has some dependencies such as using systemd (systemctl reload httpd) at the end to get the new cert.
My setup relies on using the apache authenticator. This could be generalized more with config variables, but I don’t have time to expand right now.
One hack, and it might just be becuase of my lack of research/understanding, I had to make a symlink in /etc/letsencrypt/live/[mydomain] to what I found letsencrypt generates on renewal (i.e. /etc/letsencrypt/live/[mydomain]-0001). In doing so, the updater script requires no human intervention, does not stop the webserver, and is self sustaining.