I'm running "/usr/local/bin/certbot --apache -v renew" via the Launchcontrol app on Mac.
My domain is: robert-chalmers.uk
simple question, do I need to update the RSA cert to an ECDSA cert?
Or does it do it automatically now?
Or do I do it with certbot certonly and then it's ok.
It won't do it automatically.
New certificates are ecdsa (on certbot 2.0+), existing ones keep their algorithms.
If you want an ecdsa certificate to replace an existing one, you have to ask for it explicitly. But... you don't need to.
In short: No; You are not required to change anything - nor will any such change happen automatically.
That being said... [Enter the long story]:
Apache does support using multiple certs [of different types].
So, you could actually use both [an RSA & an ECDSA cert] for your domain [in the same vhost].
You could also review the differences [pros and cons] of each type and make your own educated decision about which type/strength/ciphers you want to use.
For clarity, a command similar to this one will cause certbot to ask "An RSA certificate already exists. Do you want to update its key type to ECDSA?"
certbot certonly -d example.com --apache
I did notice, however, the signature algorithm is stuck on SHA-256 with RSA Encryption.
That's not something Certbot can controle, but is managed by the CA.