At least on two servers the automatic renewal of the certificates does not work due to systemd - actually the problems are related to the different hooks or calls that are made with apachectl (or apache2ctl depending on the distribution).
One example: A gentoo system with systemd:
# apache2ctl status
/usr/sbin/apache2ctl: /etc/init.d/apache2: /sbin/openrc-run: bad interpreter: No such file or directory
/usr/sbin/apache2ctl: line 2: /etc/init.d/apache2: Success
So I hacked the file certbot_apache/override_gentoo.py and replaced the restart_cmd to use systemctl instead. This worked quite a while but now the system does not incorporate openrc at all anymore (it uses systemd so there is no need for openrc). The things are different on Gentoo systems, calling the binary apache2 must include the settings of the settings file within /etc/conf.d/apache2, this is a Gentoo specific thing. I can hack this as well, by “grepping” the corresponding line for the options in order to call apache2 - what would be necessary to replace the other commands within that file (configtest for example).
Second example: A debian system with systemd:
# /usr/bin/certbot renew --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain
Enabled Apache socache_shmcb module
Enabled Apache ssl module
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Encountered exception during recovery
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/error_handler.py", line 99, in _call_registered
self.funcs[-1]()
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 280, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1769, in cleanup
self.restart()
File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1658, in restart
self._reload()
File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1669, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Maybe it would be a good idea to deal with the init systems separately, at least currently certbots certificate renewal does not work for me on two of three servers (the third one still has a valid certificate, no idea what will happen at the end of March, then the certificate will be outdated and a renewal will be necessary).