Different behaviour when running letsencrypt's certbot as a cron job

This issue occurs because of the way certbot was installed.

When not using a packaged distribution installation of certbot, it can't ensure that all dependencies are met so to make sure it can run properly, it creates a virtual environment in your $HOME. When running with sudo, this is still your own $HOME. However, when running as root, this turns to /root where the virtual environment is not present and thus, certbot cannot run without creating it. It's not upgrading itself so much as installing itself considering the new environment it is run from.

EDIT:

The issue here was that certbot-auto was first ran (initialized) using sudo while cron ran it as the root user. This resultet in certbot-auto trying to install dependenvies when executed by cron/root.

The solution would be to run certbot-auto as root, not using sudo.

I still want to mention --no-self-upgrade as this will keep certbot-auto from trying to upgrade itself. Useful when executed by a cronjob as you can/should monitor any upgrades by running it manually from time to time.

I do not see any difference when testing here on Debian Jessie using the latest certbot-auto. You could add '--no-self-upgrade' to the command. That way certbot-auto does not check for new versions.

I have this in '/etc/cron.d/letsencrypt'

# Check if we need to renew any certificates

4 4 * * * /opt/letsencrypt/certbot-auto renew --quiet --no-self-upgrade --post-hook "service nginx restart" >/dev/null 2>&1

This will run every once every day and then restart nginx if it had to renew any certificates but without trying to update certbot-auto itself.