Attached patch adds a certbot service extending nginx.  Only question
is, how to ensure that nginx is runing when the certbot activation runs?
In practice I bet this races so it's not a big issue but if there's a
way to require nginx before activation, that would be nice.