I am on ubuntu 18.04 and certbot 0.31.0. i have a number of domains that are attached to a single Apache/2.4.29 instance.
just now, to renew i had to stop apache, renew and start apache. i don’t remember doing this in the past, but no matter. i need to automate this.
is the correct way add pre-hook restart apache to the renewal conf files or to the systemd service?
service currently just runs certbot -q renew
example renewal file has:
# Options used in the renewal process
[renewalparams]
account = SNIP
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
Is it possible that you didn't use --standalone for some of the earlier domains that you set up, but then did use it for a more recent one? The need to stop and restart Apache is typically specific to the --standalone method, and doesn't apply, for example, if you use the --apache method.
yeah. it looks like i have one on apache and two on standalone.
somewhat frustratingly i can no longer generate the error, though i doubt that it is resolved. neither --dry-run nor --force-renewal having any issues with the untouched config and apache running, now that they have been renewed with apache stopped for a single run of certbot…
You could try just editing that file to change authenticator = standalone to authenticator = apache, which might completely obviate the need to stop Apache before renewals in the future.
Did your --force-renew command have any effect? (Since you may not have an installer alongside your authenticator, you might not notice the renewal on the live site until your web server is restarted, but you should be able to notice it with certbot certificates.)