The Getting Started page on the website heavily steers people in the direction of Certbot:
We recommend that most people with shell access use the Certbot ACME client.
This may have been fine originally, but more recently the people running Certbot have been making it increasingly difficult to install Certbot without using the snap package manager. Lately the team has completely removed most of the distribution-specific support instructions in favor of snap.
There is a long list of reasons people want to avoid using snap, including:
- Avoiding installing a new package manager just for a single piece of software
- Snap requires a new daemon to be running all the time
- Snaps using mount points thus cluttering up the system mount points
- The auto-update feature, which cannot be turned off, which undermines both when and whether a package gets updated
- Ideological reasons having to do with snap not using a fully open, free model.
Of these, the first four concerns seem more applicable in a production server environment due to security and stabiliity issues. And I'd imagine that certbot would mostly be used in a production server environment.
There are a whole bunch of great alternatives to certbot, but they're mostly not as well documented. The list itself is also staggeringly long which can lead to some decision fatigue. Many of us may find that certbot doesn't meet our needs specifically because of its reliance on snap, but we don't want to exhaustively research this. We would rather there be a strong consensus or at least a strong secondary recommendation on the part of Let's Encrypt.
So, I guess this is what I'd like to see. I'd like for us to question whether or not it makes sense to continue recommending certbot, given their pressuring of their userbase to use snaps, and also I'd like, whether or not Let's Encrypt continues to recommend certbot as the first option, for us to coalesce behind one or possibly more than one recommended other option(s). Also, I don't know if there is much overlap in the management of Let's Encrypt and certbot, or if Let's Encrypt has any influence over the certbot team, but if they do have this influence, I would also love to see people steering the certbot team in the direction of moving away from snap. Numerous users have already spoken out about this on the certbot forums but it seems to have fallen on deaf ears. To me, this seems to warrant either external pressure, abandonment of recommendation for certbot, or at a bare minimum, stronger recommendation of some sort of alternative.