From owner-freebsd-security@freebsd.org  Tue Sep 10 01:44:52 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 71B4AE9190
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 10 Sep 2019 01:44:52 +0000 (UTC)
 (envelope-from wollman@hergotha.csail.mit.edu)
Received: from hergotha.csail.mit.edu
 (tunnel82308-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 46S7BW3FYZz4vp2
 for <freebsd-security@freebsd.org>; Tue, 10 Sep 2019 01:44:51 +0000 (UTC)
 (envelope-from wollman@hergotha.csail.mit.edu)
Received: from hergotha.csail.mit.edu (localhost [127.0.0.1])
 by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id x8A1ig0L034765;
 Mon, 9 Sep 2019 21:44:43 -0400 (EDT)
 (envelope-from wollman@hergotha.csail.mit.edu)
Received: (from wollman@localhost)
 by hergotha.csail.mit.edu (8.15.2/8.15.2/Submit) id x8A1igXq034764;
 Mon, 9 Sep 2019 21:44:42 -0400 (EDT) (envelope-from wollman)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <23927.10.5222.629103@hergotha.csail.mit.edu>
From: Garrett Wollman <wollman@bimajority.org>
To: Victor Sudakov <vas@mpeks.tomsk.su>
Cc: freebsd-security@freebsd.org
Subject: Re: Let's Encrypt
In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru>
References: <20190908145835.GA67269@admin.sibptus.ru>
 <20190909090605.GA97856@admin.sibptus.ru>
 <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
 <20190910005231.GA23163@admin.sibptus.ru>
X-Mailer: VM 8.2.0b under 26.2 (amd64-portbld-freebsd11.3)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2
 (hergotha.csail.mit.edu [127.0.0.1]); Mon, 09 Sep 2019 21:44:43 -0400 (EDT)
X-Spam-Status: No, score=-0.8 required=5.0 tests=ALL_TRUSTED,
 HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 hergotha.csail.mit.edu
X-Rspamd-Queue-Id: 46S7BW3FYZz4vp2
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=fail reason="No valid SPF, No valid DKIM" header.from=bimajority.org
 (policy=none); 
 spf=permerror (mx1.freebsd.org: domain of wollman@hergotha.csail.mit.edu uses
 mechanism not recognized by this client)
 smtp.mailfrom=wollman@hergotha.csail.mit.edu
X-Spamd-Result: default: False [-3.24 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 DMARC_POLICY_SOFTFAIL(0.10)[bimajority.org : No valid SPF, No valid DKIM,none];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 R_SPF_PERMFAIL(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
 IP_SCORE(-1.54)[ipnet: 2001:470::/32(-4.46), asn: 6939(-3.17), country:
 US(-0.05)]; 
 FORGED_SENDER(0.30)[wollman@bimajority.org,wollman@hergotha.csail.mit.edu];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
 FROM_NEQ_ENVFROM(0.00)[wollman@bimajority.org,wollman@hergotha.csail.mit.edu]; 
 RCVD_COUNT_TWO(0.00)[2]
X-Mailman-Approved-At: Sat, 12 Oct 2019 23:27:58 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
Date: Tue, 10 Sep 2019 01:44:52 -0000
X-Original-Date: Mon, 9 Sep 2019 21:44:42 -0400
X-List-Received-Date: Tue, 10 Sep 2019 01:44:52 -0000

<<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas@mpeks.tomsk.s=
u> said:

> Trond Endrest=F8l wrote:
>>=20
>> #minute=09hour=09mday=09month=09wday=09who=09command
>>=20
>> 52=094=091=09*=09*=09root=09certbot renew --quiet --pre-hook "servic=
e apache24 stop" --post-hook "service apache24 start"
>> 52=091=0915=09*=09*=09root=09certbot renew --quiet --pre-hook "servi=
ce apache24 stop" --post-hook "service apache24 start"

> Is it safe to run certbot as root=3F=20

I can't speak to certbot (I currently use acmetool) but in general,
the thing that certbot does requires the ability to signal whatever
process is using the certificates, which is normally going to be a web
server but might be a mail server, name server, RADIUS server, or some
other application -- as shown in the example above.  So if you don't
run it as root (probably smart) you'll need to find another way to
tell the TLS server application to reload its certificates when
needed.

-GAWollman