Difference between certbot and certbot-auto

Question

I am using letsencrypt for my server to support https. When looking around I find commands with certbot and others with certbot-auto with similar funcionalities. Do you need to use consistently one or the other? Can someone expalin the difference and in which case you would use each one?

Answer 1

If you use the certbot or letsencrypt command, you are using packages provided by your operating system vendor, which are often slow to update. If this is the case, you should probably switch to certbot-auto, which provides the latest version of Certbot on a variety of operating systems.

From here : https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811

Answer 2

There is an important difference (at least, in two of my production setups)

This info is current as of 2020-04-05

Certbot is the OS's "official" release, while certbot-auto is the cutting-edge version, that has to be downloaded manually.

Having said this, there seems to be an unintended key difference while working with Wildcard certificates with NO automation script (i.e. Digital Ocean HAS an auto script, so in your case this will not be an issue)

1. cerbot-auto (v. 1.3.0) will NOT renew it's own certificates when nearing the expiration date.
2. certbot (v. 0.31.0) WILL renew your near-expiring certbot-auto, Wildcard-generated certificates.

Of course, this seems to be a bug that needs fixing, but in the meantime, it's valid to use "certbot" to MANUALLY renew "certbot-auto"-generated certificates. The instructions don't point you in this direction.

certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.com" -d example.com

NOTE: This only seems to affect Wildcard (*.example.com), NON-automatic scripted certificates. It's your responsibility to check viability on your particular setup.