letsencrypt -t --work-dir /tmp --logs-dir /tmp \
certonly --webroot /www/public -d example.com
# Remove execution bit (not needed for this file)
os.chmod(path, filemode & ~stat.S_IEXEC)
Then I added this to nginx.conf:
listen 443 ssl http2;
When you say it that way, it sounds like there's something untoward going on. ;)
From what I understand, the official client can bind to port 80 to do Basic HTTP verification. This requires root privs. The official client can also update many HTTP server config files. I guess you don't need to be root to do this, but it does remove a command line flag. LE is designed to be stupidly simple, but -as you've discovered- it does let more technical users run it in safer modes of operation.
> Except on my system the letsencrypt command did not work. It failed with an "Operation not permitted".
Odd. If I'm reading the code correctly, it looks like you have to have write and create privs to 'path', so it's odd that you wouldn't also be able to remove the execute bit.
Regardless, would you file a bug about this or -at least- bring it up on the mailing list? It's possible that this is user error, but if it's not, I expect that it's something the LE guys would like to hear about.