Difference between certbot and certbot-auto

There is an important difference (at least, in two of my production setups)

This info is current as of 2020-04-05

Certbot is the OS's "official" release, while certbot-auto is the cutting-edge version, that has to be downloaded manually.

Having said this, there seems to be an unintended key difference while working with Wildcard certificates with NO automation script (i.e. Digital Ocean HAS an auto script, so in your case this will not be an issue)

  1. cerbot-auto (v. 1.3.0) will NOT renew it's own certificates when nearing the expiration date.
  2. certbot (v. 0.31.0) WILL renew your near-expiring certbot-auto, Wildcard-generated certificates.

Of course, this seems to be a bug that needs fixing, but in the meantime, it's valid to use "certbot" to MANUALLY renew "certbot-auto"-generated certificates. The instructions don't point you in this direction.

certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.com" -d example.com

NOTE: This only seems to affect Wildcard (*.example.com), NON-automatic scripted certificates. It's your responsibility to check viability on your particular setup.


If you use the certbot or letsencrypt command, you are using packages provided by your operating system vendor, which are often slow to update. If this is the case, you should probably switch to certbot-auto, which provides the latest version of Certbot on a variety of operating systems.

From here : https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811