Based on a number of issues we found with load balancers via ploi, we have implimented a number of different work arounds - This would make life much easier for people who may run into the same issues:

1. update-certs.sh - replace the cert request with a straight "certbot renew --force-renewal" with no other variables - by updating the script to that ours are renewing with no issue

2. "X number of SSL expires in 10 days" email - We have created a daily script which emails us using the API and our own look ups to see what sites are currently close to expiring so we are not caught out. This email would take you to a dashboard where you can see whats running out when so you can have a idea of what might be going wrong.

3. HAProxy crt-list: Instead of putting each domain name on the crt line, replace it with:

bind *:443 ssl crt-list /etc/ssl/end/crt.txt

Have the cert file locations piped to the crt.txt when created on the load balancer and then have ha proxy renew. This cuts out the line character limit on the cfg file.