From owner-freebsd-security@freebsd.org Tue Sep 10 08:08:48 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C439FF66EF for ; Tue, 10 Sep 2019 08:08:48 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (enterprise.ximalas.info [IPv6:2001:700:1100:1::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ximalas.info", Issuer "Hostmaster ximalas.info" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46SHjW3Lt1z46x5 for ; Tue, 10 Sep 2019 08:08:47 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (Ximalas@localhost [127.0.0.1]) by enterprise.ximalas.info (8.15.2/8.15.2) with ESMTPS id x8A88dRB068410 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 10 Sep 2019 10:08:39 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ximalas.info; s=default; t=1568102919; bh=M9+nRFwnMrKk4QlPWTKo/5fhhEfPWP8L8o9RdOX8NNE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=n1r177NCecka56oFIO41obKomhJM2fdPxxxAAL9p3Oi7TgscIcU4nyyvDnMkhWjGb AvXPfva0m/vwgc7aRJ5re292Aljc8/N8Ma/GTKjlypqbq9D5vh7RuiBdexYwJYGBEH IxmPxa5pIjFzlS7dAjGj1kmMCUYs2QzRSK/3BIEElzbjFmg7zOs3rFYCk9607cdUKG WFHr01c8m2B9YXrc6vVJ9CUClgmP0ZJcWG0IBJxXeJe1nL7bU8SzqlZQDVvmVV6NG9 W6YRSizJdrnvTJJfL+xL5kMXzpFjYOfZW2SmgUeWkMzm7nSCCIMbdgSy2wP0bHSDVk sQFtzASAr5KyA== Received: from localhost (trond@localhost) by enterprise.ximalas.info (8.15.2/8.15.2/Submit) with ESMTP id x8A88d4p068407; Tue, 10 Sep 2019 10:08:39 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) X-Authentication-Warning: enterprise.ximalas.info: trond owned process doing -bs Date: Tue, 10 Sep 2019 10:08:39 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= Sender: Trond.Endrestol@ximalas.info To: Victor Sudakov cc: freebsd-security@freebsd.org Subject: Re: Let's Encrypt In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> Message-ID: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22) OpenPGP: url=http://ximalas.info/about/tronds-openpgp-public-key MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on enterprise.ximalas.info X-Rspamd-Queue-Id: 46SHjW3Lt1z46x5 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ximalas.info header.s=default header.b=n1r177NC; dmarc=pass (policy=none) header.from=ximalas.info; spf=pass (mx1.freebsd.org: domain of trond.endrestol@ximalas.info designates 2001:700:1100:1::8 as permitted sender) smtp.mailfrom=trond.endrestol@ximalas.info X-Spamd-Result: default: False [-3.63 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ximalas.info:s=default]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; HAS_XAW(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ximalas.info:+]; CTYPE_MIXED_BOGUS(1.00)[]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[ximalas.info,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:224, ipnet:2001:700::/32, country:NO]; IP_SCORE(-1.63)[ip: (-6.98), ipnet: 2001:700::/32(-0.66), asn: 224(-0.49), country: NO(-0.01)] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 08:08:48 -0000 On Tue, 10 Sep 2019 07:52+0700, Victor Sudakov wrote: > Trond Endrestøl wrote: > > > > #minute hour mday month wday who command > > > > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? It needs access to TCP port 443 to run some checks. Hence the need to stop and start apache or you other regular webserver. -- Trond. From owner-freebsd-security@freebsd.org Tue Sep 10 09:20:11 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C12BD0DFD for ; Tue, 10 Sep 2019 09:20:11 +0000 (UTC) (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46SKHt3s5Tz4DCP for ; Tue, 10 Sep 2019 09:20:10 +0000 (UTC) (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BEF4B28423; Tue, 10 Sep 2019 11:20:07 +0200 (CEST) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9382128422; Tue, 10 Sep 2019 11:20:06 +0200 (CEST) Subject: Re: Let's Encrypt To: Victor Sudakov , freebsd-security@freebsd.org References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <549e2c7a-8222-7ae0-e6bc-233ae65d5a60@quip.cz> Date: Tue, 10 Sep 2019 11:20:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 46SKHt3s5Tz4DCP X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [3.93 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(0.92)[ip: (0.48), ipnet: 94.124.104.0/21(0.24), asn: 42000(3.80), country: CZ(0.07)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.81)[0.813,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(1.00)[0.996,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 09:20:11 -0000 Victor Sudakov wrote on 2019/09/10 02:52: > Trond Endrestøl wrote: >> >> #minute hour mday month wday who command >> >> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? I cannot recommend to run things like this as root. I am using acme.sh running as unprivileged user and only the deployment of the new / renewed key is run as root through sudo. I don't know certbot well, acme.sh allows to use shell scripts as hooks for actions like deployment so it was really simple to separate cert signing and deployment of new cert. Kind regards Miroslav Lachman