From owner-freebsd-security@freebsd.org Sun Oct 13 17:53:14 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7CA34138828 for ; Sun, 13 Oct 2019 17:53:14 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46rq6b3qjMz4MFT for ; Sun, 13 Oct 2019 17:53:10 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by mail-ed1-x52a.google.com with SMTP id r4so12831046edy.4 for ; Sun, 13 Oct 2019 10:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ofwilsoncreek-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ngXITfDAm7r8Sh507eDcj4/D8mfM5lgxogp1D55e5S0=; b=UtMyXTBWwWGQ6eCwyzc/TEDtMCFvdNiAJ3ukRMx4yCueaQ5iSiCburEcf67EvRS6IW p3YT3rXzev++SCgPSYMo6Jb+v2ebFpcOKW4k8yk9V0Ze8SzABx0YYy5ygZH7gqpfneCI Y0qlt8EvkShNE0njziafbGPZ+/Wj+lRmD77bwNf3HSzj/WJmragnvydVaL1qnJUmq4YN O3Z6ER+69WaujgbyIQyvc54l0SY9+ezfVi4YX9ywTSuXj5pLe+80JPKEr5nQOdPsNrkA XDs7I2EqAG3JDC0t5KvcYTQ0Xij2e470VrrOYCamgCXopZVWJfg0hwdR5UxQjtehxsp6 qf6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ngXITfDAm7r8Sh507eDcj4/D8mfM5lgxogp1D55e5S0=; b=oGkWaiBSHD46oFyBOBIMh4r1knc5mpQfFr2NzmSFdGpczqAJUQFNb8ZdPx9QOgQZBU YDClRNT5xwLRrUbIMGRt5zCPQVq2Af/jqHw0COKn+3Bejk8GG9Eld4Q1gRQIOsD73rd0 TaTYs9jQUF7WOBxzoeHoqOvteoxV0rt2nwEnmEVIDhI91196gmnqxlpnbdQVAhMpSb+z 5NhkvwHUXI9dTzk1dSGtaLBGEYElHj39sEcu6lsSmsJ8Ia/uPyYxB/ud0w0xMlt7lWJe 7iiVH1AzGDv0596RpTPaIC+gMD4oGVGoVg6qLELPDw1fv84mt8qydDK2P0jFHZ42k/h7 q1XA== X-Gm-Message-State: APjAAAX39eWIeEUGDefLgwvbbW9PYkbw7XmM5U4JTfTHy6c0JR/903s8 gEhIGTDYFHxsIhKYnabuYz0pLatH0+y3hXoFonk5bQ== X-Google-Smtp-Source: APXvYqwm/AUEG+RQaKYhCs/1XdrEyYkbRSy9sr/0FZGmVg7lwn9Yk45AbG+w1nD1WoldBXzY9UGtNpbK5YaQAIiNueI= X-Received: by 2002:aa7:cd0f:: with SMTP id b15mr24516058edw.3.1570989187980; Sun, 13 Oct 2019 10:53:07 -0700 (PDT) MIME-Version: 1.0 References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> <23927.10.5222.629103@hergotha.csail.mit.edu> In-Reply-To: <23927.10.5222.629103@hergotha.csail.mit.edu> From: Leif Pedersen Date: Sun, 13 Oct 2019 12:52:32 -0500 Message-ID: Subject: Re: Let's Encrypt To: Garrett Wollman Cc: Victor Sudakov , freebsd-security@freebsd.org X-Rspamd-Queue-Id: 46rq6b3qjMz4MFT X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ofwilsoncreek-com.20150623.gappssmtp.com header.s=20150623 header.b=UtMyXTBW; dmarc=none; spf=pass (mx1.freebsd.org: domain of bilbo@hobbiton.org designates 2a00:1450:4864:20::52a as permitted sender) smtp.mailfrom=bilbo@hobbiton.org X-Spamd-Result: default: False [-5.12 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ofwilsoncreek-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[ofwilsoncreek.com]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ofwilsoncreek-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[a.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FORGED_SENDER(0.30)[leif@ofwilsoncreek.com,bilbo@hobbiton.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.92)[ip: (-9.54), ipnet: 2a00:1450::/32(-2.87), asn: 15169(-2.12), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[leif@ofwilsoncreek.com,bilbo@hobbiton.org]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Sun, 13 Oct 2019 19:38:01 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Oct 2019 17:53:14 -0000 On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman wrote: > < > said: > > > Trond Endrest=C3=B8l wrote: > >> > >> #minute hour mday month wday who command > >> > >> 52 4 1 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > >> 52 1 15 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > > Is it safe to run certbot as root? > > I can't speak to certbot (I currently use acmetool) but in general, > the thing that certbot does requires the ability to signal whatever > process is using the certificates, which is normally going to be a web > server but might be a mail server, name server, RADIUS server, or some > other application -- as shown in the example above. So if you don't > run it as root (probably smart) you'll need to find another way to > tell the TLS server application to reload its certificates when > needed. > > -GAWollman > A good point. One option might be to run two cron jobs. One job would run certbot as an unprivileged user, and the other would run "service apache24 restart" as root an hour or so later. (Or maybe reload is enough.)