Date: Tue, 10 Sep 2019 10:08:39 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= <trond.endrestol@ximalas.info> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <alpine.BSF.2.21.99999.352.1909101007361.18927@enterprise.ximalas.info> In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <20190910005231.GA23163@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Sep 2019 07:52+0700, Victor Sudakov wrote: > Trond Endrestøl wrote: > > > > #minute hour mday month wday who command > > > > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? It needs access to TCP port 443 to run some checks. Hence the need to stop and start apache or you other regular webserver. -- Trond. From owner-freebsd-security@freebsd.org Tue Sep 10 09:20:11 2019 Return-Path: <owner-freebsd-security@freebsd.org> Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C12BD0DFD for <freebsd-security@mailman.nyi.freebsd.org>; Tue, 10 Sep 2019 09:20:11 +0000 (UTC) (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46SKHt3s5Tz4DCP for <freebsd-security@freebsd.org>; Tue, 10 Sep 2019 09:20:10 +0000 (UTC) (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BEF4B28423; Tue, 10 Sep 2019 11:20:07 +0200 (CEST) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9382128422; Tue, 10 Sep 2019 11:20:06 +0200 (CEST) Subject: Re: Let's Encrypt To: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-security@freebsd.org References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <20190910005231.GA23163@admin.sibptus.ru> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <549e2c7a-8222-7ae0-e6bc-233ae65d5a60@quip.cz> Date: Tue, 10 Sep 2019 11:20:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 46SKHt3s5Tz4DCP X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [3.93 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(0.92)[ip: (0.48), ipnet: 94.124.104.0/21(0.24), asn: 42000(3.80), country: CZ(0.07)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.81)[0.813,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(1.00)[0.996,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>; List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 10 Sep 2019 09:20:11 -0000 Victor Sudakov wrote on 2019/09/10 02:52: > Trond Endrestøl wrote: >> >> #minute hour mday month wday who command >> >> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? I cannot recommend to run things like this as root. I am using acme.sh running as unprivileged user and only the deployment of the new / renewed key is run as root through sudo. I don't know certbot well, acme.sh allows to use shell scripts as hooks for actions like deployment so it was really simple to separate cert signing and deployment of new cert. Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.99999.352.1909101007361.18927>