0
Let's Encrypt puts their certificates for use under: /etc/letsencrypt/live/domain.com/
Why? I cannot access it without running my webserver with sudo priviledges (or changing the the file permissions manually or just moving those certificates). This seems extremely annoying, but I am sure there is a reason for that.
And how do you workaround it? Or do you use it like that? I am thinking about changing the output dir.
codepleb
Posted 2020-01-02T10:54:16.617
Reputation: 843
2
What I ended up doing:
mkdir ~/cert && mkdir ~/cert/work-dir && mkdir ~/cert/logs-dir && certbot certonly --standalone --tls-sni-01-port 8443 --http-01-port 8080 -d 'domain.com' -m 'xyz@gmail.com' --config-dir ~/cert --agree-tos --no-eff-email --work-dir ~/cert/work-dir --logs-dir ~/cert/logs-dir
Handle everything within my home directory and run the certbot with all dirs linked to that. This way you don't need to sudo the certbot anymore, which somehow feels like the right thing to do (imho).
(OT) What this command does:
cert in the home directory and also the work and log dir that certbot requires.renewal script. Just put it into a cronjob that runs every month or so. codepleb
Posted 2020-01-02T10:54:16.617
Reputation: 843
Nice; thanks. Totally not my cup of tea, but: did you consider that anyone who compromises your account can fool around with the certificates (like: copy those to another server for a man in the middle attack)? Or, if the certificate is now readable by any account on your machine, things are even worse? Maybe that is why some default configuration runs as root instead? (Again: I've no clue; just wondering. Maybe one should make the web server the owner of the cron job and certificates instead.) – Arjan – 2020-01-03T10:50:03.270
@Arjan Thanks! I thought about that, but imho it doesn't really matter if the root user or my user is the owner that can pingpong with those certificates. You can do everything no matter if you get access to my user (including the password) or the root user. Because I don't see why this should matter, I rather go with the approach to run my programs without sudo, because I do not want them to have "admin-rights" if not really necessary. But it is definitely likely that I am overlooking something, since the guys over at let's encrypt are specialists in what they are doing imho. – codepleb – 2020-01-03T11:01:07.310
1I think there's some benefit to handling certificates as root only in production setups. After all, the web server processes that make use of these certificates are usually only manageable by a user with sudo privileges, and you want to keep these permissions very tight. Also, certbot will reload Apache/Nginx for certificate renewals, for which sudo is required. It'll also create a global crontab entry that runs as root to perform the renewals. For development, of course, your approach would be better, but certbot was tuned for conventional web server setups. – slhck – 2020-01-03T11:01:08.327
@slhck This is the first time I'm doing it like that. I used to fiddle with nginx and stuff. But somehow I really like to keep things simple and separate from each other. I remember struggling with the ports 80 and 443 and having to do some extra work on most linux systems, because there were apps that interferred with it. Now I can just use whichever port I like and let the router re-route the port 80 and 443 to wherever I want on my machine. And having nothing run as root (meaning, nobody that takes over "root" will be able to make major damage) feels kind of relieving. But I get your point. – codepleb – 2020-01-03T11:06:00.410
4Lets encrypt doesn't put the certificates anywhere, it's a script you're running. Maybe certbot? You probably should check its configuration. Furthermore you could easily symlink that directory or change the permissions for the folder appropriately.
/etcshould be readable. – Seth – 2020-01-02T10:57:28.383