What happened?
In our 1.10.0 release on Tuesday, we deprecated certbot-auto, one of the ways to install Certbot, on Debian based systems including Ubuntu. In our 1.11.0 release, we plan to deprecate the script on every OS. It is only certbot-auto that we deprecated. Our other distribution methods or Certbot more generally was not deprecated on Debian.
The behavior you can expect from certbot-auto on a deprecated OS is that if you had run the script before and had an existing Certbot installation from it, that installation will continue to work, however, you will no longer receive updates and a message will be printed every time the script is run explaining this. If you do not have an existing certbot-auto installation, the script will refuse to install Certbot and say that you need to use a different installation method.
Why did it happen?
If certbot-auto had been working well for you, I'm glad to hear it, but it became infeasible for our small team to maintain. It's a custom, self-updating shell script that tries to support all popular UNIX OSes. Keeping this script working in all the different environments out there and the changes being made to them was just too much work.
The biggest factor that drove this deprecation now was Python 2 reaching its end-of-life this year. When this script was initially written 5 years ago, it was written to use Python 2 on most systems. While Python 2 is still receiving security support by various distros, the Python ecosystem has moved on and many of our dependencies are dropping support for Python 2. In order to continue to provide updates to our users, we have to get them on Python 3. We tried to migrate certbot-auto users to Python 3 in the past, but it's a ton of work and extremely error prone. Instead of trying to do this work and hope we didn't break anything (like we did last time), we decided to sunset the script in favor of other distribution methods.
How do I install Certbot now?
The way we recommend most users install Certbot is through snaps. You can find instructions for doing this at https://certbot.eff.org/instructions.
Some of the benefits of installing Certbot this way are:
- Certbot automatically stays up-to-date, giving you access to the latest features including updates to the TLS configuration Certbot uses when installing certificates with Apache and Nginx.
- Automatic renewal comes preconfigured, so there is no need to manually set up a cron job or systemd timer.
- All of our DNS plugins are available and it is possible for 3rd parties to write their own Certbot snap plugins as well.
If you don't want to install Certbot through snaps, other installation methods are documented at https://certbot.eff.org/docs/install.html. (certbot-auto is still documented there but that will be removed soon.)
Finally, while I do not recommend this, if certbot-auto was working for you, it's possible to continue to use the last version of the script that worked on Debian based OSes. Taking this approach means you will not receive any bug fixes, security fixes, or compatibility fixes with Let's Encrypt's servers. If that does not deter you, you can find the last version of the script that worked on Debian at https://raw.githubusercontent.com/certbot/certbot/v1.9.0/certbot-auto. If you use this, make sure you are fully comfortable with all of these downsides and include --no-self-upgrade on the command line to prevent the script from updating itself to a deprecated version.