I’m another upstream developer of Certbot. Taking 0.21.1 into stable would be the most conservative update that would resolve this issue. The oldest version you could take is 0.21.0, but 0.21.1 was released 8 days later and as a result has been much more widely tested. Since 0.21.1 was released back in January, it has been installed and run on over 500,000 systems and been used to obtain over two million certificates from Let’s Encrypt. Alternatively, you could take 0.22.2 or 0.23.0 which would include other bug fixes (and features), but they both have been released for less than a month.
The switch to Python 3 would affect relatively few users, but it will affect some. There are around 200 installations maintaining certificates from Let’s Encrypt using the packages in stretch (or jessie-backports) with third party Certbot plugins. These plugins need to register themselves using Certbot’s Python interface so a change to Python 3 would likely break things for them. There may also be Debian users using Certbot with a private CA or using Certbot’s Python interface in ways other than writing a plugin. We don’t have data on these users and the latter is not supported, however, I have seen a couple instances of both. I’m unsure if the people I’ve seen doing this were using Debian. The certbot, python-acme, python-certbot, python-certbot-apache, and python-certbot-nginx would all need to be updated. Please let me know if there’s anything else I can do to help get this resolved.