So a few days ago, a site went down because Apache had shut down. Odd, so started up Apache again and a few hours later the same happened again. Digging into the logs I was seeing an error message relating to Apache being unable to listen on port 80. Now this server has a setup with haproxy listening on ports 80 and 443 to terminate the SSL, then the request is passed back to Varnish on port 8888 and finally to Apache on port 8080. So Apache shouldn’t even be trying to listen on port 80.
Looking at the vhost config, Apache was indeed configured to listen on port 80, but this same setup had been running untouched and without issue for a couple of months already. Eventually I thought about cerbot as being a potential cause of the issue and looked at the certficate, and the issues had started exactly 30 days before the certificate was due for renewal - which is the time certbot will renew a certificate.
So I can only really conclude that certbot auto renew has edited the Apache vhost config and in turn broken the site. Editing the vhost config was something I selected to happen on initial certificate generation, and this was before using haproxy and Varnish in front of Apache, but why is the vhost edited on auto renew and how can I stop it?