[lstamour]

Debian is still on version 0.x when the snap is at 1.1 ... this is one of those cases where the Debian stable branch is too stable when you need to ship software that interacts with a lot of remote APIs the way the certbot-dns packages do. It’s impossible to use the old Debian versions with the more secure API tokens from CloudFlare, for example.

[hlieberman]

The certbot-dns packages are certainly the most fragile part of the process -- however, I don't have any bug reports showing that the version in stable is currently broken for any of the dns plugins.

If you're experiencing that, please file a bug against them and I can look into having a stable backport done for them.

[lstamour]

I’ll see what I can do, I’m not familiar with Debian package bug tracking. For reference, the incompatibility I faced was for the CloudFlare DNS plugin, which added support for API Tokens that had granular permissions somewhere between version 0.23 distributed in stable and 1.11 distributed via snap. Certbot docs and CloudFlare docs both encourage you to use API tokens instead of account-wide API secrets and the previous install instructions for wildcard DNS support suggested installing the CloudFlare DNS plugin by default on the Certbot site. As CloudFlare is used by a lot of folks for DNS, and was a suggested default install, I’m probably not the only one that encountered problems setting it up, without a backport available for a newer package of Certbot.