Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 13 Oct 2019 12:52:32 -0500
From:      Leif Pedersen <leif@ofwilsoncreek.com>
To:        Garrett Wollman <wollman@bimajority.org>
Cc:        Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-security@freebsd.org
Subject:   Re: Let's Encrypt
Message-ID:  <CAK-wPOge8ZWABittkOWkwww7YX2xUAkypzw0sF4-kHXP5Fc0Sw@mail.gmail.com>
In-Reply-To: <23927.10.5222.629103@hergotha.csail.mit.edu>
References:  <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <20190910005231.GA23163@admin.sibptus.ru> <23927.10.5222.629103@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman <wollman@bimajority.org>
wrote:

> <<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas@mpeks.tomsk.su>
> said:
>
> > Trond Endrest=C3=B8l wrote:
> >>
> >> #minute      hour    mday    month   wday    who     command
> >>
> >> 52   4       1       *       *       root    certbot renew --quiet
> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> >> 52   1       15      *       *       root    certbot renew --quiet
> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>
> > Is it safe to run certbot as root?
>
> I can't speak to certbot (I currently use acmetool) but in general,
> the thing that certbot does requires the ability to signal whatever
> process is using the certificates, which is normally going to be a web
> server but might be a mail server, name server, RADIUS server, or some
> other application -- as shown in the example above.  So if you don't
> run it as root (probably smart) you'll need to find another way to
> tell the TLS server application to reload its certificates when
> needed.
>
> -GAWollman
>

A good point. One option might be to run two cron jobs. One job would run
certbot as an unprivileged user, and the other would run "service apache24
restart" as root an hour or so later. (Or maybe reload is enough.)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK-wPOge8ZWABittkOWkwww7YX2xUAkypzw0sF4-kHXP5Fc0Sw>