Many people want to use SSL/TLS, and should, but getting and managing certificates is a pain. Server software can relieve much of the pain by supporting the ACME protocol and automatically retrieving and managing certificates for configured domains. The ACME protocol can be supported by any certificate authority (CA) and an IETF WG is working on standardizing it. Here is an example of an HTTP server getting a certificate for a domain automatically using ACME and Let's Encrypt: https://www.youtube.com/watch?v=nk4EWHvvZtI We should try to make it this easy in apache as well.
disclaimer: i am not a httpd-developer the httpd process handling incoming requests MUST NOT have write permissions to the certificates and even not read permissions after drop privileges - so how do you imagine this working in a secure manner?
I agree with Harald here, managing certificates either in the parent process which is problematic because "root" shouldn't issue outgoing connections (to letsencrypt or whatever), or using an unpriviledged/dedicated process which is a concern with regard to the final owner/rights on the certificates. IMHO, this is a tool's job (probably from the distro) to provide this feature and configure httpd accordingly.
If that's the approach that the Apache team considers most correct, the EFF client (currently called "letsencrypt" but we're going to rename it shortly) has already started on it to some degree. The plugin code here is designed to try to configure httpd to speak TLS correctly: https://github.com/letsencrypt/letsencrypt/tree/master/letsencrypt-apache/letsencrypt_apache At the moment, that code works for about 95% of Apache configurations, but there are definitely cases it doesn't handle yet, such as: * WSGI (https://github.com/letsencrypt/letsencrypt/issues/1820) * Multiple vhosts per file (https://github.com/letsencrypt/letsencrypt/issues/1042) It would be great to have some attention and energy from the Apache team to help ensure that this code is robust, architecturally sensible, and on path that will work for 99.x or 100% of users in the future. There are definitely some pieces that feel hackish at the moment, such as all of the vhost juggling logic and the fact that we rely on Augeas's imperfect grammar for Apache config files: https://github.com/hercules-team/augeas/blob/master/lenses/httpd.aug
An external tool is going to have some hard user experience limitations no matter how good it is. In a world where HTTPS is what most people want, or even required by browsers (it's where we're headed), Apache is going to want to do better than that. I'm confident that if the Apache team wants to provide first-class integrated support for HTTPS and certificate management via ACME they can find a way to do it securely. In the mean time external tools will have to suffice, and as Peter said it would be nice to have help with them, but I think we should focus on discussing full integration here.
Have a look at mod_md (https://httpd.apache.org/docs/current/mod/mod_md.html) available in httpd 2.4.30+. Currently, the module is still marked as "experimental".