The introduction of let's encrypt certificates for https invoked a certbot request within the https configuration --- this is incorrect, as it adds an overhead and point of failure at boot. Properly, the certbot request should be handled by an op-mode 'generate' command, similar to, say, wireguard keys. The challenge will be proper migration of old to new behaviour.