Anybody who advocates using certbot (in this manner—though if there is a secure way to run certbot, it’s beyond my understanding) and also harps on “responsibility” and “security” is off the reservation. It’s like running a web server as root from your root directory and having bash CGI scripts. That you just downloaded from someone’s github. Come on.
I do agree, and wonder how someone from the certbot team would defend it.
We run certbot in a Docker container, only allowing it to read/write its own configuration and /.well-known/acme-challenge/. The webserver container, in turn, has read access to these two directories, to get at certificates and for serving the challenges. Then, only use the certbot certonly --webroot mode. Seems less bad?
certbot certonly --webroot