Comment 0 for bug 1886084

For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.

Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default.

Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups.