This is better than a cron job - which is depreciated on the Mac.
It runs every day, at 10:15, but of course certbot only renews if the cert needs it.
I’ve put it in /Library/LaunchDaemons/com.certbot-auto-renew.plist and you load it with
sudo launchctl load -w com.certbot-auto-renew.plist
This directory is not blocked by the SIP system on the Mac.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.letsencrypt.renew</string>
<key>ProgramArguments</key>
<array>
<string>certbot</string>
<string>renew></string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>10</integer>
<key>Minute</key>
<integer>15</integer>
</dict>
</dict>
</plist>