We are evaluating both the Certbot Apache and Webroot plugins for our hosting environment. Looking at the documentation found here: https://eff-certbot.readthedocs.io/en/stable/using.html
I can see that the webroot plugin seems to have decent documentation on what it does, how it does it, and what is required. However, the Apache plugin has a mere two sentences:
"The Apache plugin currently supports modern OSes based on Debian, Fedora, SUSE, Gentoo, CentOS and Darwin. This automates both obtaining and installing certificates on an Apache webserver."
Where can I find detailed documentation of what it is doing and how it does it? Is it similar to the webroot plugin in that it is writing to the domain's webroot? Or is it doing something different? I've seen some references on various websites that suggest it will modify my domain's virtualhost config, temporarily, during authentication, even if I use certonly.
What differentiates these two plugins? Is the Apache plugin, essentially, just a webroot plugin that modifies existing virtual hosts configs?
The Apache authenticator will temporarily add some configuration to the relevant virtual hosts, such that /.well-known/acme-challenge/ will be served from /var/lib/letsencrypt/http_challenges/.
It then reloads Apache and writes the challenge response file to that directory.
Some Apache virtual hosts may not have a document root at all or the document root may be inaccessible due to other rules, so this is how the plugin approaches the problem in a generic way.
If you have a controlled hosting environment where --webroot works predictably for you, I think it's a no-brainer. Less complex and fewer server reloads. The Apache plugin mainly shines for users that don't want to get into the nitty gritty of their configuration.