I'm trying to understand the ever-evolving installation requirements for certbot (which I have used since around 2015/16 or so) . I don't use snapd for many reasons but a main one is the fact that most of my servers are plain headless servers running Ubuntu Server rather than Ubuntu Desktop, so I'm trying to understand why it is that certbot installation is currently through snap or pip now? I will be upgrading an older apache server with quite a few vhosts at some point and I do use letsencrypt extensively on it so I'd rather not run into any unpleasant surprises.
It is a fair question but one probably best asked at the EFF's github for Certbot. Their dev team monitors activity there more closely than here. See: Issues · certbot/certbot · GitHub
I don't speak for the EFF but I think their recent website change about install options is to only show options that gives you ability to keep Certbot current. Relying on apt or other packaging systems can often leave you far behind the current version.
4 Likes
OK, thanks for the redirect. Keeping super current, I suppose that's fair, OTOH I generally run LTS distros so I'm always a little behind the latest and greatest anyway, which I'm okay with. I like to watch other people on the bleeding edge before it's my turn to shed blood 
2 Likes
I didn't think Ubuntu Desktop was a requirement for snap. I've got it available on headless Ubuntu Server installs as old as as 20.04 LTS.
2 Likes
Snap is advised as the "basic" option because all the dependencies are managed and updated automatically.
pip is supported, but users who don't understand pip may run into issues. If you have configuration management or other tooling and can manage pip and upgrades, that works fine. Certbot pip instructions
apt packages from your OS aren't directly supported by the certbot team, as they can get out of date (especially, eg, in an LTS distro). But generally still works.
4 Likes
I recommend you look into Apache mod_md. I moved all of my Apache vhosts from certbot to mod_md years ago and it is definitely the way to manage certificates used by Apache.
On the one Debian host where I run certbot to create a certificate used by services other than Apache, I use pip with a cron job that keeps it up to date. It's a better option for me than installing snapd on a server that otherwise would have no need for it.
4 Likes
Ah, gotcha. My basic LTS server installs up to 24.04 don't have any snap installs. I'm sure it could be installed, if something using snap were installed on them, but the basic install w/nothing added doesn't have snap so far.
ooooooooohhhhh... this will motivate me to upgrade that server more quickly! how did i miss this? thanks for the pointer!
2 Likes
Unfortunately, all this sandboxing comes with a lot of overhead, especially if you're not already using Snap for other things. Not as much as a Docker container, but still. I've been running the pip release for two years now without any issues.
After following the initial instructions to set up the venv, I've created a small script that I run after python upgrades and whenever it's time to update certbot:
#!/bin/sh -eu
python3 -m venv --upgrade /opt/certbot
python3 -m venv --upgrade-deps /opt/certbot
/opt/certbot/bin/pip install --upgrade certbot
--
I don't think certificate management is a job for a web server. Apache is there to serve websites, and I wouldn't want it to mess with my certificates. To quote the Unix philosophy: "Do one thing and do it right". Furthermore, I'm generally using one wildcard certificate for a domain and its sub-domains, so the virtual host configuration is and should stay independent of the certificates, and the certificates might also be used by a mail or ftp server.
That's what mod_md does. It gets certs and it is good at it. I use it for certs that are only used by Apache web sites.
Your reason for not wanting to use mod_md is similar for my reason for not allowing certbot to touch my Apache configs, so I can appreciate it even if I disagree. 
2 Likes