Hi @gauthier,
Sorry for the delay, bit busy today.
You installed certbot using the package distributed by Ubuntu so, as far as I know you already have a cron entry, indeed you should have a cron and a timer.
Check if you have this file /etc/cron.d/certbot:
# ls -l /etc/cron.d/certbot
-rw-r--r-- 1 root root 484 Jan 31 03:02 /etc/cron.d/certbot
# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
This entry only works if you are not using systemd, if you are, then you already have a timer (something similar to cron jobs but for systemd):
# systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2018-02-06 00:03:28 CET 4h 31min left Mon 2018-02-05 18:57:39 CET 34min ago snapd.refresh.timer snapd.refresh.service
Tue 2018-02-06 00:04:02 CET 4h 32min left n/a n/a certbot.timer certbot.service
Tue 2018-02-06 06:15:25 CET 10h left Mon 2018-02-05 18:57:40 CET 33min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Tue 2018-02-06 15:38:32 CET 20h left Mon 2018-02-05 18:57:40 CET 33min ago apt-daily.timer apt-daily.service
Tue 2018-02-06 19:22:43 CET 23h left Mon 2018-02-05 19:22:43 CET 8min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
And you will see the certbot timer which will run twice a day.
I mean, you already have a cron job/systemd timer in your system so, remove the entry you added manually.
Keep in mind that a cron job is not the same as running something using the terminal, the PATH variable could not be the same as the one you are using in your terminal. So, you have two options to be bullet proof, add a PATH variable to your cron job with the right paths to find the executables, or simply use the full path to your executable so writing /usr/bin/certbot could save you some headaches ;).
Trying to renew your certs every 24 hours or twice a day is the right way, keep in mind that certbot renew command only checks if your certs will expire soon (by default in 30 days) so if they are not close to expire (30 days or less) it does absolutely nothing so it is correct to run it twice a day.
Also, right now, when certbot renew your certs you will need to reload your nginx manually, you can add a simple option to your renewal conf file so this reload would be performed by certbot only when it renews your cert.
Edit this file /etc/letsencrypt/renewal/MY.WEBSITE.COM.conf and you will see something like this:
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/MY.WEBSITE.COM/cert.pem
privkey = /etc/letsencrypt/live/MY.WEBSITE.COM/privkey.pem
chain = /etc/letsencrypt/live/MY.WEBSITE.COM/chain.pem
fullchain = /etc/letsencrypt/live/MY.WEBSITE.COM/fullchain.pem
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/MY.WEBSITE.COM
# Options and defaults used in the renewal process
[renewalparams]
installer = nginx
authenticator = webroot
rsa_key_size = 2048
account = aaaaaaaaaaaaaaaaaaaaaaaaaaa
post_hook = systemctl reload nginx
[[webroot_map]]
MY.WEBSITE.COM = /home/uibuntu/letsencrypt
Pay attention to post_hook, if it does not exist, create it and add the command to reload nginx, in this case I've put systemctl reload nginx but maybe you want to use service nginx reload, save the conf file and you are done.
If you don't want to modify the conf file manually, next time you want to issue a certificate add the --post-hook 'systemctl reload nginx' option to your certbot command:
sudo certbot --authenticator webroot --installer nginx -w /path/to//root/of/your/domain/ -d MY.WEBSITE.COM --post-hook 'systemctl reload nginx'
There are another option like use your own script and copy it to /etc/letsencrypt/renewal-hooks/post/and this script will be executed automatically when a certificate is renewed... there are a lot of options ;).
I hope this helps.
Cordialement,
sahsanu