Is there a recommended way to add “sudo systemctl restart nginx” on the cron job?
I’ve seen people throw it into the /etc/cron.d/certbot - is this a good practice?
Also one noob question about cron jobs: Are they only executed after the system has been fully launched or is it also run while the system is launching? (I ask because one reason “while launching” could be a problem is you wouldn’t know that “restart nginx” would work as nginx might not be loaded yet.)
You can supply the --post-hook option to certbot when obtaining a certificate, and it will run the command you specify if it actually gets the certificate. For example (I'm assuming you're using the webroot plugin):
Certbot will remember this option (it's stored in the file /etc/letsencrypt/renewal/example.com.conf) and will run the same command again when the cron job runs certbot renew. You can also edit that file manually, to add a line like
post_hook = systemctl restart nginx
in the [renewalparams] section.
The post-hook option is better, because it only restarts nginx when a certificate was actually renewed, rather than every time the cron job runs.
It depends on the operating system. Some have a defined order in which daemons (such as crond and nginx) are started. Others try to start everything in parallel. I think Ubuntu 16.04 is one of the latter? However I wouldn't worry too much about it - if nginx hasn't started then the challenge will fail anyway, so it won't matter if the post-hook fails to restart it as there will be no new certificate to pick up anyway. (EDIT: I previously said the post-hook wouldn't even run if the challenge failed, but that's not correct. I was probably thinking of --renew-hook. Sorry)
And as far as I know a reload is enough to load the new certificates. So a post_hook = systemctl reload nginx should be enough - and faster than a full restart. Please correct me if reload is not enough.