I found the immediate request for my sudo password after running letsencrypt-auto to be very odd and off-putting as well, the first time I tried to run it.
It looks like letsencrypt-auto always tries to verify and/or install the correct environment, including external package dependencies, every time it is run. At least on Debian systems, the bootstrap.sh uses apt-get to do the package check, and apt-get requires root level access. Because letsencrypt-auto is doing that environment check every time before it calls letsencrypt, even something as simple as requesting '--help' though letsencrypt-auto ends up requiring root access.
Its not clear to me from the beta instructions if I'm supposed to be running letsencrypt-auto every time or not. Is letsencrypt-auto meant to be more of a one time installer program for the letsencrypt command, akin to running 'make install' after a build? It seems like its not the kind of command that one would want to run unattended, given the level of access it has to make system level changes.
Anyway, after going through the scripts to figure out what they were trying to do, I did let letsencrypt-auto run with root, and after some additional packages were installed, everything went swimmingly. VERY COOL PROJECT!