Is server restart needed when obtaining certs using certbot and apache module


#1

Documentation on certbot plugins confuses me a little.

On the webroot part the doc says.

you’d prefer not to stop the webserver during the certificate issuance process, you can use the webroot plugin to obtain a cert by including certonly and --webroot on the command line

Does it mean the apache plugin will restart webserver?

I am trying to automate the process of cert management. Restarting webserver is not an option for me.


#2

No matter which method is used the server needs to be restarted anyway for it to load the new/renewed cert. In the case of the apache plugin it uses graceful restarts that do not result in any downtime.


#3

That’s indeed slightly confusing given its position right after the apache plugin description. It’s actually a reference to the standalone plugin, which works by binding to port 80 or 443 - meaning you would have to stop any existing web server listening on that port during renewal. Webroot would use your existing web server to serve the challenge files, so no restart needed.

The apache plugin itself doesn’t stop apache, but it reloads the configuration multiple times. Apache does this gracefully, basically starting a new process that handles new connections, while the old process is kept around until all existing connections are drained. This doesn’t involve any downtime. If the new configuration is somehow broken, certbot performs a rollback.


#4

Thank you all. That clears the confusion :slight_smile:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.