Just updated the first post above.
After checking the Letsencrypt log, I found that the renewal application was being made at times outside the range of the custom cron setting, and upon further checking it appears that the Pi installation package also sets up systemd to run the process twice daily at random times.
See this post.
So no need for the cron job - it has been removed, and the post-hook function has been now been moved to the shell script instead.
It appears that the configuration of Certbot varies dependent upon the OS.
@BartButenaers - for info
