Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Sep 2019 10:08:39 +0200 (CEST)
From:      =?UTF-8?Q?Trond_Endrest=C3=B8l?= <trond.endrestol@ximalas.info>
To:        Victor Sudakov <vas@mpeks.tomsk.su>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Let's Encrypt
Message-ID:  <alpine.BSF.2.21.99999.352.1909101007361.18927@enterprise.ximalas.info>
In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru>
References:  <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <20190910005231.GA23163@admin.sibptus.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Sep 2019 07:52+0700, Victor Sudakov wrote:

> Trond Endrestøl wrote:
> > 
> > #minute	hour	mday	month	wday	who	command
> > 
> > 52	4	1	*	*	root	certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> > 52	1	15	*	*	root	certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> 
> Is it safe to run certbot as root? 

It needs access to TCP port 443 to run some checks. Hence the need to 
stop and start apache or you other regular webserver.

-- 
Trond.
From owner-freebsd-security@freebsd.org  Tue Sep 10 09:20:11 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C12BD0DFD
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 10 Sep 2019 09:20:11 +0000 (UTC)
 (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 46SKHt3s5Tz4DCP
 for <freebsd-security@freebsd.org>; Tue, 10 Sep 2019 09:20:10 +0000 (UTC)
 (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id BEF4B28423;
 Tue, 10 Sep 2019 11:20:07 +0200 (CEST)
Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz
 [62.24.92.232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id 9382128422;
 Tue, 10 Sep 2019 11:20:06 +0200 (CEST)
Subject: Re: Let's Encrypt
To: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-security@freebsd.org
References: <20190908145835.GA67269@admin.sibptus.ru>
 <20190909090605.GA97856@admin.sibptus.ru>
 <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
 <20190910005231.GA23163@admin.sibptus.ru>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <549e2c7a-8222-7ae0-e6bc-233ae65d5a60@quip.cz>
Date: Tue, 10 Sep 2019 11:20:05 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Firefox/52.0 SeaMonkey/2.49.3
MIME-Version: 1.0
In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 46SKHt3s5Tz4DCP
X-Spamd-Bar: +++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of
 SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking
 94.124.105.4) smtp.mailfrom=SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz
X-Spamd-Result: default: False [3.93 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[];
 IP_SCORE(0.92)[ip: (0.48), ipnet: 94.124.104.0/21(0.24), asn: 42000(3.80),
 country: CZ(0.07)]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz];
 AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.81)[0.813,0];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0];
 NEURAL_SPAM_LONG(1.00)[0.996,0]; R_SPF_NA(0.00)[];
 FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
 FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>;
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 09:20:11 -0000

Victor Sudakov wrote on 2019/09/10 02:52:
> Trond Endrestøl wrote:
>>
>> #minute	hour	mday	month	wday	who	command
>>
>> 52	4	1	*	*	root	certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>> 52	1	15	*	*	root	certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> 
> Is it safe to run certbot as root?

I cannot recommend to run things like this as root. I am using acme.sh 
running as unprivileged user and only the deployment of the new / 
renewed key is run as root through sudo. I don't know certbot well, 
acme.sh allows to use shell scripts as hooks for actions like deployment 
so it was really simple to separate cert signing and deployment of new cert.

Kind regards
Miroslav Lachman




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.99999.352.1909101007361.18927>