Nginx

How to make friends nginx docker (vaultwarden) and certbot?

Hello.
There is a server with Ubuntu 20.04, nginx and certbot packages are installed on it. This server also runs the vaultwarden doker container.
The container is launched with the settings:

sudo docker run -d --name vaultwarden -e  \ 
    DOMAIN=https://под.домен.ру -e SIGNUPS_ALLOWED=false \
    -v /vw-data/:/data \
    -e WEBSOCKET_ENABLED=true \
    -p 80:80 -p 3012:3012 --restart on-failure \
    vaultwarden/server:latest

The nginx config has the following:

server {
    server_name под.домен.ру; # managed by Certbot
  location / {
    proxy_pass http://под.домен.ру:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://под.домен.ру:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://под.домен.ру:80;
  }
  # Optionally add extra authentication besides the ADMIN_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    auth_basic "Private";
    auth_basic_user_file /path/to/htpasswd_file;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://под.домен.ру:80;
  }

  location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
  }
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/под.домен.ру/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/под.домен.ру/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#    if ($host = под.домен.ру) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot

#       listen 80 ;
#       listen [::]:80 ;
#    server_name под.домен.ру;
#    return 404; # managed by Certbot
}

With such splendor, Vaulwarden works. But it doesn’t work naturally, redirect from http to https (as far as I know enough, because of the commented out if ($host = sub.domain.ru) { return 301 https://$host$request_uri ; } . If you uncomment it, then there is still no redirect, but VW works via http, but not

via https.Also, with this config, if you try to renew the certificate (at least in test mode) certbot renew --dry-run
, then a verification error appears:

...
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: subdomain.ru
Type: unauthorized
Detail: Invalid response from
http://subdomain.ru/.well-known/acme-challenge/ nLO...

In order for it not to appear, I screwed it into the nginx config

location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
  }

And for certbot indicated certbot -w /var/www/letsencrypt

Accordingly, if you stop the container, then certbot normally fulfills. Therefore, I would like to understand - where did I make a mistake in the config? And what needs to be done in order for both certbot to work and the vaultwarden container?

PS I tried to run the container with different options, for example, specifying the port -p 8080:80, and editing the nginx config to http://sub.domain.ru:8080 , but in this situation, either VW does not work or nginx does not restart.