You can supply the
--post-hook option to certbot when obtaining a certificate, and it will run the command you specify if it actually gets the certificate. For example (I’m assuming you’re using the webroot plugin):
sudo certbot certonly --webroot -w /var/www -d example.com --post-hook "systemctl restart nginx"
Certbot will remember this option (it’s stored in the file
/etc/letsencrypt/renewal/example.com.conf) and will run the same command again when the cron job runs
certbot renew. You can also edit that file manually, to add a line like
post_hook = systemctl restart nginx
The post-hook option is better, because it only restarts nginx when a certificate was actually renewed, rather than every time the cron job runs.
It depends on the operating system. Some have a defined order in which daemons (such as crond and nginx) are started. Others try to start everything in parallel. I think Ubuntu 16.04 is one of the latter? However I wouldn’t worry too much about it - if nginx hasn’t started then the challenge will fail anyway, so it won’t matter if the post-hook fails to restart it as there will be no new certificate to pick up anyway. (EDIT: I previously said the post-hook wouldn’t even run if the challenge failed, but that’s not correct. I was probably thinking of