diff --git a/scripts/lib/install b/scripts/lib/install
index f7f897364b..edbab3e7b8 100755
--- a/scripts/lib/install
+++ b/scripts/lib/install
@@ -94,7 +94,8 @@ ZULIP_PATH="$(realpath $(dirname $0)/../..)"
 "$ZULIP_PATH"/scripts/lib/check-upstart
 
 if [ -n "$USE_CERTBOT" ]; then
-    "$ZULIP_PATH"/scripts/setup/setup-certbot --no-zulip-conf \
+    "$ZULIP_PATH"/scripts/setup/setup-certbot \
+        --no-zulip-conf --method=standalone \
         --hostname "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
 fi
 
diff --git a/scripts/setup/setup-certbot b/scripts/setup/setup-certbot
index 1ff989d2d6..61051c5607 100755
--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@@ -12,7 +12,8 @@ if [ "$EUID" -ne 0 ]; then
     exit 1
 fi
 
-args="$(getopt -o '' --long help,hostname:,email:,no-zulip-conf -n "$0" -- "$@")"
+method=webroot
+args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
     case "$1" in
@@ -26,6 +27,11 @@ while true; do
             shift
             shift
             ;;
+        --method)
+            method="$2"
+            shift
+            shift
+            ;;
         --no-zulip-conf)
             no_zulip_conf=1
             shift
@@ -44,6 +50,18 @@ if [ -n "$show_help" ]; then
     usage
 fi
 
+case "$method" in
+    standalone)
+        method_args=(--standalone)
+        ;;
+    webroot)
+        method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/)
+        ;;
+    *)
+        usage
+        ;;
+esac
+
 set -x
 
 CERTBOT_PATH="/usr/local/sbin/certbot-auto"
@@ -51,7 +69,7 @@ CERTBOT_PATH="/usr/local/sbin/certbot-auto"
 wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
 chmod a+x "$CERTBOT_PATH"
 
-"$CERTBOT_PATH" --standalone certonly -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive
+"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive
 
 symlink_with_backup() {
     if [ -e "$2" ]; then
@@ -67,6 +85,12 @@ CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
 symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
 symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
 
+case "$method" in
+    webroot)
+        service nginx reload
+        ;;
+esac
+
 if [ -z "$no_zulip_conf" ]; then
     crudini --set /etc/zulip/zulip.conf certbot auto_renew yes
 fi