{"id":"btcpayserver-letsencrypt-nginx-proxy-companion","name":"letsencrypt-nginx-proxy-companion","homepage":"https://hub.docker.com/r/btcpayserver/letsencrypt-nginx-proxy-companion","repo_url":"https://hub.docker.com/r/btcpayserver/letsencrypt-nginx-proxy-companion","category":"infrastructure","subcategories":[],"tags":["letsencrypt","acme","nginx","reverse-proxy","docker","tls","certificate-management","automation"],"what_it_does":"A Docker companion container that automates Let’s Encrypt certificate issuance/renewal for Nginx Proxy based setups (commonly with nginx-proxy/nginx-proxy-manager style), wiring certificate generation into the reverse-proxy workflow.","use_cases":["Automatically obtain and renew TLS certificates for containerized reverse proxies","Minimize manual certificate management for homelabs and production Docker deployments","Enable HTTPS for multiple dynamically-provisioned subdomains/services behind a single Nginx proxy"],"not_for":["Environments that require custom ACME challenges without container/Docker integration","Organizations that need a fully managed hosted certificate service with centralized governance","Non-Nginx reverse proxy setups without compatibility for the companion pattern"],"best_when":"You run Nginx behind a Docker-based dynamic proxy and want automatic Let’s Encrypt certificates with minimal ops overhead.","avoid_when":"You cannot run Docker (or equivalent container runtime) or cannot accommodate ACME HTTP/DNS reachability requirements for Let’s Encrypt validation.","alternatives":["certbot (standalone or webroot)","Caddy with automatic HTTPS","Traefik with built-in ACME","nginx-proxy + separate certbot automation","ACME client libraries/scripts integrated into your deployment pipeline"],"af_score":45.2,"security_score":42.8,"reliability_score":36.2,"package_type":"mcp_server","discovery_source":["docker_mcp"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T21:33:41.731945+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["No user-facing auth for an API (primarily uses ACME/Let’s Encrypt account + validation)","ACME account registration handled by the companion","Optional use of DNS provider credentials if configured for DNS-01"],"oauth":false,"scopes":false,"notes":"Authentication is not a typical app-layer auth concern; instead it relies on Let’s Encrypt ACME flows and (optionally) DNS provider credentials for DNS-01 challenge."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Software is open-source; Let’s Encrypt is free. Operational costs relate to infrastructure/networking and certificate issuance rate limits."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":true,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":45.2,"security_score":42.8,"reliability_score":36.2,"mcp_server_quality":0.0,"documentation_accuracy":50.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":60.0,"rate_limit_clarity":30.0,"tls_enforcement":80.0,"auth_strength":45.0,"scope_granularity":0.0,"dependency_hygiene":50.0,"secret_handling":40.0,"security_notes":"Primary security considerations are protecting any DNS provider credentials used for DNS-01, ensuring ACME/HTTP-01 validation paths are not exposed insecurely, and restricting container permissions/volume mounts so private keys/cert material aren’t overly accessible. TLS enforcement for issued certificates is typically strong, but secret-handling quality depends on deployment practices.","uptime_documented":0.0,"version_stability":50.0,"breaking_changes_history":50.0,"error_recovery":45.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["ACME validation failures are commonly due to reachability (ports/DNS/HTTP routing) rather than code issues; automated retries may not help without fixing networking.","Rate limits from Let’s Encrypt can occur if misconfigured; ensure proper constraints before repeated issuance attempts.","Secret/config handling (DNS provider credentials, email/account settings) is critical; agents should avoid logging env/secret values.","Container wiring (volumes, nginx-proxy companion environment variables, and correct network/hostname) must match the expected layout; small deviations can break renewals."]}}