How to install certbot without snap

I would like to install certbot without snap. On certbot website, it says "You can find instructions for installing Certbot without using snap by selecting your OS in the dropdown above. ". I chosed my OS, but the instruction is still for using snap.

2 Likes

I'm afraid this is the result of moving the documentation from distribution based to snap. The banner you're seeing at the top is a generic one from the situation before the aformentioned documentation restructuring. Earlier, there was only the "snap" choice of OS which would present the snap instructions and all the other OSses would have specific instructions. However, this banner isn't uptodate for a lot of OSses any longer indeed, as those OSses have also moved to the snap instructions.

I opened a Github issue for this earlier, but it seems this situation is going to keep existing, until the documentation for all the OSses which are moved to snap are restructured..

Personally, I understand your reluctance for using snap.. Luckily, I'm running Gentoo, so I'm not forced to move to snap. However, other OSses might not be so lucky. There is absolutely no guarantee your OS repository will update their package of certbot, so it might be unwise to use anything differently than snap. It should however still be possible. But that depends on the OS you're using.

4 Likes

The arch wiki always seems to be better than anyone else's

2 Likes

I also do not understand at all why snap is forced upon us. I am anything but satisfied with this decision! It is really annoying.

3 Likes

I wasn't very involved in this decision (and not at all in its implementation), but I believe the main reason that the Certbot team decided to use snaps as the recommended distribution method for Certbot is that most Linux distributions weren't willing to update their packages frequently without some urgent reason like a security hole. Or, if they were willing, they didn't necessarily have packagers who had the time to perform those updates frequently.

I find snap kind of mysterious and uncomfortable, but as someone who provides a lot of support on the forum, I'm sad to see people routinely still running two-year-old (or sometimes even older) versions of Certbot because those are the last versions that their OSes had officially packaged. Sometimes forum members will comment on this (like "could you update your Certbot?" or "maybe this would work better with a newer Certbot version?") and the users asking questions will then reply, quite reasonably, that they followed official instructions for their OSes and got the most recent official package—which may be years out of date.

Certbot rarely has security holes, but it frequently has useful functionality improvements. It's been under very rapid development all along, and these old OS-packaged versions would often be missing non-security-critical but extremely useful features, sometimes such as improvements to the reliability of the integration with web server applications, or improvements to the command-line syntax.

The Certbot license obviously still permits distributions to package Certbot, and perhaps some still do, or still will. I think the challenge that needs to be overcome in order to have OS packages be an appealing option for the Certbot developers, or for most users, is how the OS packages will get more frequently updated, so that they won't lag years behind Certbot releases. If you run an OS where you would like an officially-packaged Certbot outside of snap, can you find a way to get your OS developers to find the resources (and in a few cases, the policy approval) to track EFF's upstream releases more frequently?

3 Likes

I think this is indeed something that isn't very "compatible" with the regular way of distribution packaging.

For Gentoo however, it's simply checking if dependencies have changed and if so, test for dependency hell or if certain dep versions are not stable yet. And check if there has been some low-level change requiring the way the program compiles or installs et cetera.If there's no issue with the deps, you can simply bump the version number. Easy peasy.

Gentoo has its drawbacks, but for getting cutting edge versions of your software, it's great!

2 Likes

Adding to the above, as someone who is also not a fan of snap: I actually like this usage an integration.

  1. The various linux distributions are always very much behind in upgrading to the latest Cerbot versions. Their support is also varied across the install base. Ubuntu, for example, has 5 currently supported variants (of their OS) and a total of 13 package repositories for them. Every Ubuntu version has a different Certbot version. This is insane for the package maintainers, and terrible for end users.

  2. You can install Cerbot via pip; it's just a Python package. The problem, however, is that Certbot has a lot of specific version dependencies and is not friendly to exist within a system's normal Python installation. You really need to install it using a virtual environment - which is simple, but can be burdensome to constantly run and execute with. Certbot has a system that does this - cerbot-auto - but it a bit of a mess and slowly being deprecated and removed. It works, until it doesn't, and just causes issues and confusion.

  3. The snapd system basically automates the Python installation and streamlines some things to help keep it up-to-date.

In my experience: the only thing we're using snap for is certbot. IMHO, it's a great way to manage Certbot. I wish I did not have to use snap and there were better options, but thinking of it as "the certbot management system" really changed my opinion and made me appreciate it. is it perfect? no, but it's the best distribution method Certbot has used so far.

1 Like