auto-letsencrypt | Docker image to automatically request | TLS library

You have many questions in one.

Should I execute the ./certbot-auto command from PHP using the exec()/shell_exec() command? Should I write a separate bash script and run the bash script instead?

In a generic case: no.

PHP is executed once a webpage has been reached, hence it lives inside the current HTTP session, and the browser at the other end will wait for some kind of response back, in some kind of limited time (and users get angry if they do not see something appearing "fast").

If you exec things you have two options:

1. you wait for completion of external program: problem, this can be after an "undefinite" time, so if this is not taken into account, user will never see anything back in their browser
2. you start it in the background, and you do not wait for its completion: problem, you do not need if it succeeds or not, so even if you are then able to reply "something" to the browser, how will you handle failures?

The generic solution to cases like this is:

1. The action triggered by the HTTP visit just records the request, like in a DB or something
2. Separately a process polls the DB for tasks to do and executes them; this is completely separate from any webserver; when job has completed (success or failure), the DB will be updated in the same way
3. The process at 1) can regularly poll the DB to see the status (pending or completed or failed) and show user a message, like during its visit, with some kind of auto-refresh, and/or provide a specific separate page where the user would be able to track status of its operation

Should I use an ACME PHP library recommended by LetsEncrypt - https://letsencrypt.org/docs/client-options/

You can use any library in any language that properly implements the ACME protocol.

Let's Encrypt only recommends one software: certbot. All the rest listed in that page are examples of client libraries/programs that are expected to work.

Do I need to create virtual hosts for each domain pointing to www.mywebapp.example?

Yes, specially if they are using each of them a specific certificate, otherwise the webserver will not be able to identify the proper certificate to return at the beginning of the TLS handshake based on which hostname the browser gave (inside the SNI extension used at beginning of TLS handshake)

Or you can use some Apache features of mass virtual hosting, such as https://httpd.apache.org/docs/2.4/mod/mod_vhost_alias.html As is however this may probably mean a single certificate with all names added to it, which can technically work until some amount of names, but can create non technical problems (like seeing all the names, etc.)

Of course other software, like Nging/HAProxy can provide more advanced features, where you do not need to configure things virtual host per virtual host, even with different certificates, you just put things in place with specific naming and the webserver will match things as needed.

Do I need to edit /etc/httpd/conf.d/ssl.conf to add the new virtual hosts?

Yes, or any other file as long as you use Include or similar.

If you manage many different and separate websites, it may be simpler to have one configuration file per website, including its certificate paths and so on, many Linux distributions install Apache in such a way that you have /etc/httpd/sites-enabled/ for that feature. If not, you can do the same yourself.

Can multiple domains use the same DocumentRoot path?

Of course yes.

PS: please stop saying SSL, the protocol is named TLS, invented 20 years ago. SSL is long gone, current recommandations are to run TLS 1.2 except if good reasons to also allow 1.1 and 1.0 which have vulnerabilities. There are no "SSL certificate" either for this reason and because they are a misnommer. TLS can work without certificates and these certificates can be used outside of TLS, like in S/MIME. They are X.509 certificates.