Why run certbot in a docker container?

Question

I have a site working which has angular and node apps running in docker containers. These are brought up in a docker-compose file which also mounts volumes linking to the letsencrypt certificates, and it all seems to work fine. I created the letsencrypt certificates running certbot without a container.

I'm interested then, to understand why many people seem to run certbot in its own container in order to get and renew certificates? That approach seems to add to the complexity by having another container ... what am I missing - is my approach 'wrong' for some reason?

Edit: I wanted to add some examples: here, here, here, and here all run certbot in a container. I would love to understand the benefits of containerising certbot.

Answer 1

Two advantages of running certbot in its own container are:

1. Management of certbot-generated files within the docker volumes subsystem: this allows you to keep these files isolated and to easily mount them into other containers without "polluting" your root filesystem.

2. Containing the possible effects of certbot to a limited set of files, rather than running it "unjailed" on your root fs.

I can't think of any particular disadvantages beyond some extra complexity (although if this is all managed within a single docker-compose file it's probably less complex than setting up your docker-based ecosystem and then separately configuring and running certbot).