This was so useful, thank you. I ended up going my own way on a couple of points:

1. Rather than using the script, I build a separate docker compose file and nginx configuration to run nginx and certbot containers to generate the initial certificates as a one off. Then share them in persistent docker volumes. That solves the chicken and egg situation!
2. Rather than using the custom commands/entrypoints to sleep and wait, I used docker’s healthcheck to regularly run the nginx reload / certbot renewals. e.g. in docker-compose.yml:

certbot:
  ...
  entrypoint: ["sleep", "3650d"]
  healthcheck:
    test: ["CMD", "certbot", "renew"]
    interval: 12h
    timeout: 120s
    retries: 3
    start_period: 30s