TLS renewal notes

DNS-based validation is useful for wildcard certificates and for hosts where HTTPS termination is separated from the public edge.

Deploy hook

Reload only services that read certificate files directly.

#!/bin/sh
systemctl reload nginx

Renewal checks should be tested with dry-run before relying on scheduled automation.