Depends on how you've installed certbot in the first place.
Thats unfortunately a Debian "thing". Debian isn't known for their "up to date" repository. A possible solution might be using the certbot-auto (more on that later).
Depends which version of the Apache plugin you're refering to 
The webroot plugin purely is an "authenticator": it's only function is to authorise a FQDN, so Let's Encrypt will issue a certificate for it. It uses the http-01 challenge. It will only validate your domain, so certbot can get the certificate. It won't change anything on your webserver.
The apache plugin however, is an authenticator plugin as wel as an installer plugin: it can use a challenge (before version 0.21 the now disabled tls-sni-01 challenge, with 0.21 and newer the http-01challenge) to verify your FQDN (the authenticator part), but it will also modify your webserver configuration, so your site is instantly TLS secured!
As I already said in the Question about release and update - #3 by Osiris thread, you can combine the apache installer with the webroot plugin so you can use the http-01 challenge with certbot version <0.21.
You can read more about the decision on disabeling the tls-sni-01 challenge here: TLS-SNI challenges disabled for most new issuance
You can read more about the solution here, including the use of certbot-auto: Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA