Going offtopic here; but this is exactly the problem. There is a cronjob that restarts nginx after a certbot rerun. This makes at least three assumptions, all of which will fail at some point:
1. certbot does not need to stop nginx to renew a cert (some modes do).
2. the certbot run succeeded (all certs have been renewed, no network issues, etc)
3. all certs are written correctly so that nginx config is valid (can reach and parse the certs)
In this particular case, for some reason, one of the 7 sites hosted here had a misconfigured DNS, letsencrypt servers could not reach it, certbot failed, no nginx restart was attempted. This case falls in #1, fixable by force-reloading nginx every day after certbot run regardless of whether a cert has been renewed.
All solutions with nginx are cludges like that. Don't get me wrong: certbot/letsencrypt is miles ahead of automation before they came along (I've built en ran several hosting companies, certs automation is a disgrace), but it remains hacky, cludgy and therefore unstable and somewhat unreliable.
huh i hear ya, but really the only thing ive ran into is updating certs not taking till nginx restart, in fact im suspect certbot might restart it for you at this point. i dont doubt it drops on the floor in any intermittent outages which isn't unheard of when it runs every 3 months
