diff --git a/certbot/defaults/main.yml b/certbot/defaults/main.yml
index 876be14e..99f02e15 100644
--- a/certbot/defaults/main.yml
+++ b/certbot/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 
 certbot_work_dir: /var/lib/letsencrypt
+certbot_custom_crontab: True
diff --git a/certbot/tasks/install-sources.yml b/certbot/tasks/install-legacy.yml
similarity index 82%
rename from certbot/tasks/install-sources.yml
rename to certbot/tasks/install-legacy.yml
index d4a24d3e..fe0cb8e2 100644
--- a/certbot/tasks/install-sources.yml
+++ b/certbot/tasks/install-legacy.yml
@@ -8,16 +8,6 @@
 - include_role:
     name: evolix/remount-usr
 
-# - name: Certbot script is downloaded
-#   get_url:
-#     url: https://dl.eff.org/certbot-auto
-#     dest: /usr/local/bin/certbot
-#     mode: '0755'
-#     owner: root
-#     group: root
-#     force: no
-#   notify: install certbot-auto
-
 - name: Let's Encrypt script is present
   copy:
     src: letsencrypt-auto
@@ -58,3 +48,12 @@
     src: cron_jessie
     dest: /etc/cron.d/certbot
     force: yes
+  when: certbot_custom_crontab
+
+- name: disable self-upgrade
+  ini_file:
+    dest: "/etc/letsencrypt/cli.ini"
+    section: null
+    option: "no-self-upgrade"
+    value: 0
+    state: present
diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml
index ed8e8b85..54c1f803 100644
--- a/certbot/tasks/main.yml
+++ b/certbot/tasks/main.yml
@@ -7,17 +7,17 @@
       - ansible_distribution_major_version is version('8', '>=')
     msg: only compatible with Debian 9+
 
-- name: Install from sources on Debian 8
-  include: install-sources.yml
+- name: Install legacy script on Debian 8 and 9
+  include: install-legacy.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('8', '=')
+    - ansible_distribution_major_version is version('10', '<')
 
-- name: Install package on Debian 9+
+- name: Install package on Debian 10+
   include: install-package.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('9', '>=')
+    - ansible_distribution_major_version is version('10', '>=')
 
 - include: acme-challenge.yml
 
diff --git a/certbot/templates/acme-challenge/apache.conf.j2 b/certbot/templates/acme-challenge/apache.conf.j2
index f013957d..ebc99483 100644
--- a/certbot/templates/acme-challenge/apache.conf.j2
+++ b/certbot/templates/acme-challenge/apache.conf.j2
@@ -7,6 +7,5 @@
 Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
 <Directory "/var/lib/letsencrypt/.well-known/acme-challenge">
     Options -Indexes
-    Allow from all
     Require all granted
 </Directory>
diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml
index 0577abbe..26327569 100644
--- a/evoacme/tasks/certbot.yml
+++ b/evoacme/tasks/certbot.yml
@@ -1,4 +1,8 @@
 ---
+- name: Do no install certbot crontab
+  set_fact:
+    certbot_custom_crontab: False
+
 - include_role:
     name: evolix/certbot