I'm capturing this here before I go to bed...

When the Nginx container is recreated, it should have a mounted volume on the host where the certificates are stored. The problem is that certbot creates symbolic links in the volume we have mounted and those links point to another directory that does not persist the container recreation. To save the certificates, I think we will need to mount both locations so that the certificates and links are both saved.

Here is a listing of the mounted volume we have now that shows the links (I replaced my domain with "my.test.host"):

$ ls -al ssl/live/lab.dureddo.com/
total 12
drwxr-xr-x 2 root            root 4096 Jan 18 04:21 .
drwxrwxr-x 3 trp             trp  4096 Jan 23 04:58 ..
lrwxrwxrwx 1 root            root   39 Jan 18 04:21 cert.pem -> ../../archive/my.test.host/cert1.pem
lrwxrwxrwx 1 root            root   40 Jan 18 04:21 chain.pem -> ../../archive/my.test.host/chain1.pem
lrwxrwxrwx 1 root            root   44 Jan 18 04:21 fullchain.pem -> ../../archive/my.test.host/fullchain1.pem
lrwxrwxrwx 1 root            root   42 Jan 18 04:21 privkey.pem -> ../../archive/my.test.host/privkey1.pem
-rw-r--r-- 1 systemd-network root  543 Jan 18 04:21 README

Currently, both of these are mounted right?

      - $NGINXCONF:/etc/nginx/conf.d
      - $SSLROOT:/etc/letsencrypt/live

So are we not able to do this within the container itself?

Correct. There may be a more elegant way but I can make a pull request to...

Use these volumes in web-nginx:

volumes:
    - $NGINXCONF:/etc/nginx/conf.d
    - $SSLROOT:/etc/letsencrypt/live
    - $SSLARCHIVE:/etc/letsencrypt/archive

And then change the ssl directory to have ssl/live and ssl/archive with the .gitignore moved / copied into those sub-directories.

And then change the .env.example file to contain:

NGINXCONF=./project/nginx/conf.d
SSLROOT=./ssl/live
SSLARCHIVE=./ssl/archive

Sure, that would be great! 👍