PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# plomlompom added the --webroot -w /var/www/html/ so that renewal
-# works with nginx running.
-0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot -w /var/www/html/
+# works with nginx running, and the nginx reload post-hook so that
+# the new certificates are linked to by nginx. Note that by default
+# we rely on the systemd timer service file instead of this cronjob,
+# but since both are installed by the certbot package to serve which
+# ever of the two is used, we cautiously adapt both of them too.
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"