> Mandatory TLS means it’s going to be a huge PITA

Let's Encrypt!

Let’s Encrypt can’t generate certificates for localhost, much less containers accessed via a local network.

Sure, you can get anything to work, but it WILL be a huge PITA.

Let's Encrypt can generate certificates for your.domain. your.domain can in turn resolve to localhost. I've been using Let's Encrypt for websites behind a VPN for several years.

Yes, of course, and that might make sense in a production setting. Those certificates expire after 90 days though, do you really want to have to edit your dns records every 90 days? To run something locally?

Why would I have to edit dns records manually? I have a cron job that tries to renew the certificate once a day. There is no manual work involved.

In that case you’re using either HTTP or TLS verification, which only works if you have a public static ip/port that LE can access. You can’t do that from behind a NAT without port forwarding and you generally don’t want your local docker machines to be accessible to the internet.

Unless your cron script is doing some funky DNS altering, that is.

[1] https://github.com/go-acme/lego [2] https://go-acme.github.io/lego/dns/