Certbot¶

Certbot runs as a Docker container alongside nginx and handles Let's Encrypt TLS certificate issuance and renewal.

Shared Volumes¶

Certbot and nginx share two volumes for the ACME workflow:

Volume	Purpose	Used by
`certbot-webroot`	Stores ACME challenge files for domain validation	certbot (write), nginx (read)
`certbot-certs`	Stores issued certificates and private keys	certbot (write), nginx (read)

Nginx serves the challenge directory so Let's Encrypt can validate domain ownership:

location /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

Issuing a Certificate¶

When DNS is configured and pointing to the server, run the issue script:

scripts/issue-cert.sh

This script invokes certbot inside the container to request a certificate for the configured domains. The ACME HTTP-01 challenge is used, with challenge files written to the certbot-webroot volume.

Note

DNS A records must be propagated before running this script. Certbot will fail if Let's Encrypt cannot reach the server via the domain name.

Renewing a Certificate¶

Let's Encrypt certificates expire after 90 days. To renew:

scripts/renew-cert.sh

After renewal, reload nginx to pick up the new certificate:

docker compose exec nginx nginx -s reload

Tip

Consider setting up a cron job or scheduled task to run the renewal script periodically (e.g., weekly). Certbot only renews certificates that are within 30 days of expiry, so running it frequently is safe.

Certificate Location¶

Inside the nginx container, certificates are mounted at:

File	Path
Full chain	`/etc/letsencrypt/live/ictedgefund.com/fullchain.pem`
Private key	`/etc/letsencrypt/live/ictedgefund.com/privkey.pem`