That works, there's no problem at all. For a while. But aox reads certificates on startup, and is stable enough to run for months or years, longer than the lifetime of a letsencrypt certificate, so eventually it will use an expired certificate because it hasn't reread its configuration in the past three months.
I found a really nice unixy solution in incron, a linux-specific cron-like daemon that watches directories and runs programs when things happen in those directories. It's small, self-contained and easily debuggable, in the best unix tradition. Charming.
I installed incron using
apt-get install incron and added a one-line file as /etc/incron.d/aox-restart:
/etc/letsencrypt/live IN_CREATE /usr/local/archiveopteryx/bin/aox restart. I think it's probably best to watch the file the aox tls-certificate variable specifies, but I started with the entire …/live directory for ease of testing. That let me touch a file and see aox restart.
Now aox restarts instantly whenever certbot renews the TLS certificate.
It would be possible to leave existing IMAP connections running, but frankly I don't think that's worth the effort.