diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp
index 9105a1972f..58012ed8b8 100644
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@@ -95,6 +95,13 @@ class zulip::nginx {
     mode   => '0650'
   }
 
+  $certbot_auto_renew = zulipconf('cerbot', 'auto_renew', '')
+  if $certbot_auto_renew == 'yes' {
+    package { 'certbot':
+      ensure => 'installed',
+    }
+  }
+
   file { ['/var/lib/zulip', '/var/lib/zulip/certbot-webroot']:
     ensure => 'directory',
     owner  => 'zulip',
diff --git a/scripts/lib/certbot-maybe-renew b/scripts/lib/certbot-maybe-renew
index c3d1c5acb8..97999d2ebb 100755
--- a/scripts/lib/certbot-maybe-renew
+++ b/scripts/lib/certbot-maybe-renew
@@ -17,6 +17,6 @@ fi
 
 deploy_hook="${ZULIP_CERTBOT_DEPLOY_HOOK:-service nginx reload}"
 
-/usr/local/sbin/certbot-auto renew --quiet \
+certbot renew --quiet \
   --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \
   --deploy-hook "$deploy_hook"
diff --git a/scripts/setup/setup-certbot b/scripts/setup/setup-certbot
index 3f20400a7c..3ae4f10308 100755
--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@@ -81,23 +81,28 @@ case "$method" in
         ;;
 esac
 
+# Check for a supported OS release.
+if [ -f /etc/os-release ]; then
+    os_info="$(. /etc/os-release; printf '%s\n' "$ID" "$ID_LIKE")"
+    { read -r os_id; read -r os_id_like|| true; } <<< "$os_info"
+fi
+
 set -x
 
-CERTBOT_PATH="/usr/local/sbin/certbot-auto"
-# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx
-wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
-chmod a+x "$CERTBOT_PATH"
+case " $os_id $os_id_like " in
+    *' debian '*)
+        apt-get install -y certbot
+        ;;
+    *' rhel '*)
+        yum install -y certbot
+        ;;
+esac
 
-# First, we install the OS packages with --quiet, to suppress `apt`
-# prompting the user for input.  This can't be part of the same
-# invocation as gets the certs, since `certonly --quiet --force-interactive`
-# rejects the Certbot ToS, causing Certbot to fail.
-"$CERTBOT_PATH" --os-packages-only --quiet
 # We don't use --no-interactive, because certbot needs to ask the user
 # to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
 # Passing --force-interactive suppresses a warning, but also brings up
 # an annoying prompt we stifle with --no-eff-email.
-"$CERTBOT_PATH" certonly "${method_args[@]}" \
+certbot certonly "${method_args[@]}" \
                 "${HOSTNAMES[@]}" -m "$EMAIL" \
                 $agree_tos \
                 "${deploy_hook[@]}" \