Dockerで環境構築を楽しつつ、シンプルにLet's Encryptを使う。DOMAINを実際のドメインに、CONTAINER_NAMEを稼働中のnginxコンテナ名に置き換える。

create-cert.sh

#!/bin/bash
  
docker run -it --rm \
            -p 80:80 \
            --name temp_certbot \
            -v "/etc/letsencrypt:/etc/letsencrypt" \
            -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
            certbot/certbot certonly \
            --standalone \
            --agree-tos \
            -d DOMAIN

nginx.conf

events {
    worker_connections  16;
}
http {
    server {
        listen 80;
        server_name DOMAIN;
        location ^~ /.well-known/acme-challenge/ {
            root /var/lib/letsencrypt;
        }
    }
    server {
        listen 443;
        server_name DOMAIN;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
        location / {
        }
    }
}

update-cert.sh

#!/bin/bash

docker run -it --rm \
            --name temp_certbot \
            -v "/etc/letsencrypt:/etc/letsencrypt" \
            -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
            certbot/certbot certonly \
            --webroot -w /var/lib/letsencrypt \
            --agree-tos \
            --keep-until-expiring \
            -d DOMAIN

docker exec CONTAINER_NAME nginx -s reload