In any way, not depending from the distro you’re using, this behavior can be filed as a bug. Since:
- the server has its own configuration and it’s running
- certbot tries the renewal enabling the SSL module and modifying portf.conf
- apache fails to restart (due to modified config)
- certbot does not revert the configuration back to its original state, leaving the Apache server dead. Also if you try restarting Apache manually it will continue to be broken due to modified config.
Expected behavior
Even (or especially) if the renewal fails, revert Apache configuration back to it’s original status.