Coping the files shouldn’t be necessary; If the cert is specifically designated to be used by postfix ONLY.
That is, certbot can manage all the certs in the system.
And you include a cert that is only intended for postfix use.
You know where those specific cert files will be located.
You then get postfix to use those specific files [giving postfix the proper access rights to them].
If that works, then the updates/renewals should be automatic:
- certbot ensures the cert gets renewed before it expires
- deploy-hook restarts nginx after each successful cert renewal [ensuring nginx is always using the latest cert]