On a Debian Stretch system at work, certbot was working but automatic renewals were not. The system is behind a proxy server and the https_proxy environment variable was not being set when certbot ran unattended.
I wasted several hours tinkering with /etc/cron.d/certbot before I realized that
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
was preventing certbot from running if systemd was running.
Edit /lib/systemd/system/certbot.service Add to the [Service] section:
Environment="https_proxy=https://my_proxy_server:port" "http_proxy=http://my_proxy_server:port"
systemctl daemon-reload
So that the file is actually read.
Docs on this file at man systemd.exec search Environment=
Don’t add directly into service file. Override it via systemctl edit certbot.service
I no longer have access to this environment, so cannot test.
As far as I can tell, this suggestion is correct: changes will not be overwritten if made in this way.
See https://www.linode.com/docs/guides/introduction-to-systemctl/#editing-a-unit-file for details.
Thanks very much for this suggestion.