Merge branch '3.5.x' into 4.0.x

Closes gh-50629

Author: snicoll

documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/features/ssl.adoc

@@ -181,3 +181,33 @@ A file watcher is then watching the files and if they change, the SSL bundle wil
 This in turn triggers a reload in the consuming component, e.g. Tomcat rotates the certificates in the SSL enabled connectors.
 
 You can configure the quiet period (to make sure that there are no more changes) of the file watcher with the configprop:spring.ssl.bundle.watch.file.quiet-period[] property.
+
+[[features.ssl.reloading.lets-encrypt]]
+=== Reloading SSL Bundles With Let's Encrypt
+
+If you use certificates issued by https://letsencrypt.org/[Let's Encrypt] and renewed by an external tool, such as https://certbot.eff.org/[Certbot], you can configure a PEM bundle to use the generated files and enable reloading.
+Certbot typically stores these in `/etc/letsencrypt/live/` under a directory named after your domain.
+The following example shows how to configure a PEM bundle for `example.com`:
+
+[configprops,yaml]
+----
+    spring:
+      ssl:
+        bundle:
+          pem:
+            webserver:
+              reload-on-update: true
+              keystore:
+                certificate: "file:/etc/letsencrypt/live/example.com/fullchain.pem"
+                private-key: "file:/etc/letsencrypt/live/example.com/privkey.pem"
+    server:
+      ssl:
+        bundle: "webserver"
+----
+
+Spring Boot does not request or renew Let's Encrypt certificates.
+When Certbot or another ACME client updates the configured files, the SSL bundle is reloaded.
+Compatible consumers, such as Tomcat and Netty web servers, can then use the updated certificate without restarting the application.
+
+The files in `/etc/letsencrypt/live` are typically symbolic links to files in `/etc/letsencrypt/archive`.
+The file watcher follows symbolic links so that updates to the target files can trigger a reload.