The idea of ​​certboot is simple
1) At a certain URL (/.well-known) certbot places data (file)
2) Then it accesses the LetsEncrypt server
3) The LetsEncrypt server polls the site hosting certbot from different addresses and thereby makes sure that The server is who it claims to be.
4) LetsEncrypt gives the certificate/key to certbot
How to do:
1) Use certbot in webroot mode (not nginx)
2) In nginx, write ./well-known to indicate where certbot will put the file that LetsEncrypt will check
3) In nginx specify to take the certificate / key from where certboot puts it.
Paths to files for points 2) and 3) - must be specified in the certbot parameters.
The LetsEncrypt certificate is valid for 90 days, so you need to update it (of course, more often than once every 3 months)
. Certbot remembers its settings and updates so that it is not necessary to set all parameters with all paths.
And, of course, nginx must be accessible from the outside and exactly by the same url "/.well-known"
Ready-made solution
https://github.com/diresi/docker-nginx-certbot