Docker Compose. Using pretty much the most standard setup. Having Let’s Encrypt set up for a single sub-domain only, validation via http, etc. It’s pretty much like in the README.
Looking at the logs closer again, I noticed, that Docker Compose was too lazy to get the newest image version up & running. After running a docker rm -f on the container in question, the newest version was pulled and now it actually checks, whether a valid certificate already exists, avoiding re-generation on every restart.