Pour le renouvellement des certificats, après de mémoire la création manuelle, j'ai le fichier de conf /etc/letsencrypt/renewal/nom-de-domaine.conf

# renew_before_expiry = 30 days
version = 0.24.0
cert = /etc/letsencrypt/live/nom-de-domaine/cert.pem
privkey = /etc/letsencrypt/live/nom-de-domaine/privkey.pem
chain = /etc/letsencrypt/live/nom-de-domaine/chain.pem
fullchain = /etc/letsencrypt/live/nom-de-domaine/fullchain.pem
archive_dir = /etc/letsencrypt/archive/nom-de-domaine

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
rsa_key_size = 4096
account = f21ccne3+mx77bfienf3091df9375b28
post_hook = /usr/bin/systemctl start httpd.service
pre_hook = /usr/bin/systemctl stop httpd.service
#manual_public_ip_logging_ok = True

Le renouvellement se fait grâce à un service activer par un timer.

Le service /etc/systemd/system/certbot.service :

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --pre-hook "/usr/bin/systemctl stop httpd.service" --post-hook "/usr/bin/systemctl start httpd.service" --quiet --agree-tos

Le timer /etc/systemd/system/certbot.timer :

[Unit]
Description=Daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=weekly
RandomizedDelaySec=2day
Persistent=true

[Install]
WantedBy=timers.target