Hi Andrey, If you have Apache listening on :80 and :443, you probably actually want to use the Apache *authenticator* to obtain all your certs (you don't have to install them in your Apache config). If you run certbot with "certonly --apache" what that will do is either use your default :443 vhost if you have one, or spin up a transient Apache vhost to prove control of the domain by TLS-SNI-01, obtain the cert, then remove the vhost again.
In all cases, using Apache for authentication but not installation should leave your Apache configuration in its original state after Certbot is run. You could edit the renewal conf file to make that happen, or just run: certbot certonly -n --force-renewal -a apache -i none -d $EMAIL_DOMAINS to update that certificiate lineage to use the apache authenticator. Then in the future, use: certbot certonly -n --apache -d $NEW_EMAIL_DOMAINS to get certs for things like mail domains that you don't want Apache to actually respond to. (I'm including the -n non-interactive flag because it works around this UI issue: https://github.com/certbot/certbot/issues/3869 ) -- Peter Eckersley p...@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
