monitoring has been added in Icinga and works now:
only slight issue I see is we will get 6 alerts at once when the cert gets close to expiry in 1821 minus 60 days.
But on the other hand it checks ecah individual host for having other (non-cert but webserver) issues and would detect if we forget to add a hostname to the cert.
So I guess we can call it resolved.
Cert changes do not notify nginx for a reload. After we left for the evening, two of the hosts still served the old certificate until the reload was performed on the secondary hosts the following morning.
Ideally, we'll move to a more unified certificate monitoring approach. I think this arrangement will be ok until we can adopt that unified solution.