I use Let's Encrypt DNS validation. This does not require you to run anything on your server. You just need to have a way to distribute cert to your servers.
can you explain this ? I'm trying to bake letsencrypt certificates in my docker images and I am trying to figure out a way around the race condition (nginx needs a certificate to run <-> certificate needs nginx to run).
How about storing the letsencrypt certificates in a data-container/locally on the host and mapping those files to the nginx container when you start it?
For the very first time, you can use let's encrypt's manual verification process, but then have the let's encrypt client set up to renew certs automatically (possibly even from a separate container) using same data file mappings.
cannot run a docker inside a docker. the problem is not running a webserver, the problem is the race condition which needs to be solved when docker starts up.
As a totally-naive-to-your-problem-particulars and totally-hacky suggestion, why not start nginx with a starter cert, then mv the new cert into position and reload nginx?
Have an instance with plain-text http running only the Lets Encrypt challenge. Make an explicit rule for it on your load balancer, and deploy it first.