It is not "md" that needs reload or starting. It is Apache. For Apache to see any updates to its config it needs to be reloaded (at minimum). That includes changes to any file it includes or otherwise references. In this case the cert files are referenced by Apache - you just don't see them named in the Apache config.
You could reload less frequently than daily but it still needs to be done. I can't comment on the implication of your user logins. Perhaps you could write a script to check mod_md for a cert update and only reload Apache on the night when you see one?
A Certificate Authority (CA) may revoke certs without action on your part. These are rare but do occur. The mod_md uses ARI so will get informed of this and renew the cert. But, a reload is needed for Apache to use it. I can't speak to the implications on your app should you not reload soon enough and the client sees a revoked cert (this is complicated).
Mind you, with Certbot you would have had to reload Apache too. For example, with its --apache option it does so automatically and immediately upon getting a fresh cert. Mod_md does not add any different requirement than required by Certbot or any other ACME Client.
Perhaps a different volunteer here will know more why those login sessions would be lost after a reload. Or, try an Apache support forum. I don't know enough about that part of Apache to say.
When adding an additional VirtualHost, xxx in post 9 above:
If I have a number of directives after the MDomain for xbiologix.net and before the VirtualHost for issues.xbiologix.net and aliases, will they also apply to the MDomain and new VirtualHost for xxx? I'm thinking yes, and it would be clearer to move the MDomain for xbiologix.net after those directives to just before the VirtualHost section. Otherwise, they should probably be inside the VirtualHost section for each separate MDomain.
These directives are things like:
ServerAdmin
SSLProtocol
SSLOpenSSLConfCmd
ExtFilterDefine
<IfModule mod_headers.c>
Header always set Strict-Transport-Security
Yes, those are good things to keep in the "server config" context. You might consider placing those in the apache2.conf file just before the include for the VHost .conf files.
You might also re-familiarize yourself with the different Apache contexts: Terms Used to Describe Directives - Apache HTTP Server Version 2.4
Some settings may appear in several contexts. Others in only one. The Apache docs clearly state the contexts available for each setting.
To that list you might also include the mod_md settings that are shared among all MDomain VHosts such as the one for "agreement" and MDMessageCmd if you plan to use that (or possible alternative MDNotifyCmd).
You might also review the options at this site: Mozilla SSL Configuration Generator
Ignore the settings in the VirtualHost but the options on the bottom are often best as a "server" context. Let's Encrypt no longer does Stapled certs so don't choose that. And I recommend not setting HSTS until you know enough about it to be certain it won't cause you problems.
Thanks. I tried reassigning (moving) one of the hosts from one vhost to another, and got the error
[md:error] ... two Managed Domains have an overlap in domain 'xbiologix.net'
I thought it would automatically remove it from the cert where it no longer existed. What's the proper way to do that? Remove it from one, restart, then add to the other?
You'll have to show me your layout. It sounds like we covered this earlier.
You can only use a domain name once in all your VirtualHost for port 443
You previously had that same domain name in two different port 443 VHosts
Also, each VirtualHost for port 443 should have its own MDomain just before it. That MDomain must list one of the ServerName or ServerAlias names in that VHost.
There are many ways to manage these settings. I suggest using this as the simplest and easiest to manage.
Please show output of this:
sudo apache2ctl -t -D DUMP_VHOSTS
And then show the contents of each of the config files for any VHost shown from that output
I had an error, moved the server name/alias but forgot to fix an MDomain stmt. Sorry for the fire-drill. It seems to be working; here's what I see. The port 80 "conflict" having all3 (issues.xbiologix.net, www.xbiologix.net, and xbiologix.net) is intentional/transitional; it's redirected anyway.
# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.xbiologix.info (/etc/apache2/sites-enabled/xblgx-info-ssl.conf:5)
port 443 namevhost www.xbiologix.info (/etc/apache2/sites-enabled/xblgx-info-ssl.conf:5)
alias xbiologix.info
port 443 namevhost issues.xbiologix.net (/etc/apache2/sites-enabled/xblgx-ssl.conf:50)
alias www.xbiologix.net
port 443 namevhost issues-test.xbiologix.net (/etc/apache2/sites-enabled/xblgx-ssl.conf:179)
port 443 namevhost xblgx-ops.xbiologix.net (/etc/apache2/sites-enabled/xblgx-ssl.conf:279)
alias xbiologix.net
*:80 is a NameVirtualHost
default server www.xbiologix.info (/etc/apache2/sites-enabled/xblgx-info.conf:1)
port 80 namevhost www.xbiologix.info (/etc/apache2/sites-enabled/xblgx-info.conf:1)
alias xbiologix.info
port 80 namevhost issues.xbiologix.net (/etc/apache2/sites-enabled/xblgx.conf:3)
alias www.xbiologix.net
alias xbiologix.net
