Is it possible to renew a certificate for Apache and emails services without restarting them? [closed]

Question

I am deploying new certificates for my domains to use on web and email services. To do that, I am using Certbot, a program to create and renew Let's Encrypt certificates.

Every tutorial I've seen requires restarting web (apache) or email services (dovecot).

Does anyone know how to deploy a new certificate for apache or dovecot and start using it without restarting it?

Answer 1

The certbot documentation describes a method for obtaining a certificate without having to restart the webserver, using the webroot plugin: https://certbot.eff.org/docs/using.html#webroot

To summarize, you need to pass in a few extra arguments to the certbot command for your renewal: certonly, --webroot, and --webroot-path or -w. So the full command would look something like this:

certbot renew certonly --webroot -w /var/www/example/ -d www.example.com

According to the docs:

The webroot plugin works by creating a temporary file for each of your requested domains in ${webroot-path}/.well-known/acme-challenge. Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot.

This allows Let's Encrypt to perform the domain verification without stopping Apache to bind to port 80, 443, etc.