We recently aligned certificates procedures using Certbot to manage Docker hosts like the other servers, ie with certbot directly installed on the host, not used as a container.
This is NOT related to the migration to acme.sh (excepted the migration would solve this).
This does NOT affect DNS-verified certificates, only HTTP ones.
Expiration
SELinux context was the default for anything created under /var, which we didn't allow and aren't interested to allow for nginx.
Context httpd_sys_content_t works like a charm, renewal worked on docker-002.
For reference, the previous solution used container_file_t, and historically sandbox_file_t, both explicitly allowed for nginx by our SELinux configuration.
Salt SELinux module issue
For Dwellers, grep -E raises a warning for the following regexp, which breaks the salt/modules/selinux.py code, see T2052.
Certificates renewal
Works like a charm.
Command log
$ semanage fcontext -a -t httpd_sys_content_t /var/letsencrypt-auto $ certbot renew […] Congratulations, all renewals succeeded: /etc/letsencrypt/live/airflow.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/artifacts.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/bugzilla.espace-win.org/fullchain.pem (success) /etc/letsencrypt/live/dwellers.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/forms.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/jenkins.test.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/notifications.integration.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/orange-rabbit.integration.nasqueron.org/fullchain.pem (success) /etc/letsencrypt/live/vault-notifications.integration.nasqueron.org/fullchain.pem (success)