That's correct.
The Apache authenticator will temporarily add some configuration to the relevant virtual hosts, such that /.well-known/acme-challenge/
will be served from /var/lib/letsencrypt/http_challenges/
.
It then reloads Apache and writes the challenge response file to that directory.
Some Apache virtual hosts may not have a document root at all or the document root may be inaccessible due to other rules, so this is how the plugin approaches the problem in a generic way.
If you have a controlled hosting environment where --webroot
works predictably for you, I think it's a no-brainer. Less complex and fewer server reloads. The Apache plugin mainly shines for users that don't want to get into the nitty gritty of their configuration.