My web servers have an NFS share to a server that contains the SSL certs.
Meaning, the certs are not on the local web server but on a server that has access to our DNS server so that new certs or renewals can be done centrally.
The question is, does each virtual host need it’s own directive of;
Include /etc/letsencrypt/options-ssl-apache.conf
I personally don't use it. I have my own global settings in the ssl.conf file. Mainly cause I only have like 4 cipher sets and I disable SHA1 ciphers on top of the standard setup.
The problem seems to be that later running the certbot apache thing makes changes to the httpd.conf file. Lately, it started adding another file instead and an include in the conf file but I seem to have a mix.
So I can manually configure the web server and do not have to run the certbot apache/nginx options. I thought those did something in addition to configuring the web server conf.
Correct. I run the command with certonly option and build my vhosts.
The --apache option will create a new vhost config file & append a line in the httpd.conf file to include the new file. It's an option for those less technical.