Trond Endrest?l wrote:> > #minute hour mday month wday who command > > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"Is it safe to run certbot as root? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190910/8302645e/attachment.sig>
You would ideally create a certbot user that has just the permissions it needs. It has a fairly decent security history. So it's probably not the worst to run as root in a limited manner. On Mon, Sep 9, 2019, 5:52 PM Victor Sudakov <vas at mpeks.tomsk.su> wrote:> Trond Endrest?l wrote: > > > > #minute hour mday month wday who command > > > > 52 4 1 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > 52 1 15 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49 at fidonet http://vas.tomsk.ru/ >
<<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas at mpeks.tomsk.su> said:> Trond Endrest?l wrote: >> >> #minute hour mday month wday who command >> >> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"> Is it safe to run certbot as root?I can't speak to certbot (I currently use acmetool) but in general, the thing that certbot does requires the ability to signal whatever process is using the certificates, which is normally going to be a web server but might be a mail server, name server, RADIUS server, or some other application -- as shown in the example above. So if you don't run it as root (probably smart) you'll need to find another way to tell the TLS server application to reload its certificates when needed. -GAWollman
On Tue, 10 Sep 2019 07:52+0700, Victor Sudakov wrote:> Trond Endrest?l wrote: > > > > #minute hour mday month wday who command > > > > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root?It needs access to TCP port 443 to run some checks. Hence the need to stop and start apache or you other regular webserver. -- Trond.
Victor Sudakov wrote on 2019/09/10 02:52:> Trond Endrest?l wrote: >> >> #minute hour mday month wday who command >> >> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root?I cannot recommend to run things like this as root. I am using acme.sh running as unprivileged user and only the deployment of the new / renewed key is run as root through sudo. I don't know certbot well, acme.sh allows to use shell scripts as hooks for actions like deployment so it was really simple to separate cert signing and deployment of new cert. Kind regards Miroslav Lachman