Date: Tue, 10 Sep 2019 01:44:52 -0000 From: Garrett Wollman <wollman@bimajority.org> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <23927.10.5222.629103@hergotha.csail.mit.edu> In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <20190910005231.GA23163@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas@mpeks.tomsk.s= u> said: > Trond Endrest=F8l wrote: >>=20 >> #minute=09hour=09mday=09month=09wday=09who=09command >>=20 >> 52=094=091=09*=09*=09root=09certbot renew --quiet --pre-hook "servic= e apache24 stop" --post-hook "service apache24 start" >> 52=091=0915=09*=09*=09root=09certbot renew --quiet --pre-hook "servi= ce apache24 stop" --post-hook "service apache24 start" > Is it safe to run certbot as root=3F=20 I can't speak to certbot (I currently use acmetool) but in general, the thing that certbot does requires the ability to signal whatever process is using the certificates, which is normally going to be a web server but might be a mail server, name server, RADIUS server, or some other application -- as shown in the example above. So if you don't run it as root (probably smart) you'll need to find another way to tell the TLS server application to reload its certificates when needed. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23927.10.5222.629103>