TLS certificate automation with certbot and strict renewal checks

Certificate expiry outages are avoidable with boring automation and good alerting. I use automatic renewal, post-renew validation hooks, and external checks that warn well before expiry. TLS is not finished once the first certificate works.