If you set up your router to match your domain.name, you can do everything with a hairpin NAT and using Apache as reverse proxy forwarder (which is basically the same as what NGinx does)
Then there is no need to copy certificates and certbot is only used on Apache
