Edit: this turned out to be too complicated. As much as I prefer to avoid a Snap package, I decided to go with it rather than jump through these hoops. When I have the system up and running, I might re-evaluation this decision.

  • Install dependencies

      sudo apt install python3 python3-pip libaugeas0

  • Remove any OS-installed version

      sudo apt remove cerbot

  • Set up a Python virtual environment with certbot

      sudo python3 -m venv /opt/certbot/
  sudo /opt/certbot/bin/pip install --upgrade pip
  sudo /opt/certbot/bin/pip install certbot certbot-nginx

  • Optionally, set up a symlink in the path

      sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot

  • Enable auto-renewal

      echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Derived from Let’s Encrypt - pip