Hacker News new | past | comments | ask | show | jobs | submit login

They keep trying to push the idea that letsencrypt should be ran as root. If you disagree with that, I ran it as a normal user using:

    letsencrypt -t --work-dir /tmp --logs-dir /tmp \ 
    certonly --webroot /www/public -d example.com
Except on my system the letsencrypt command did not work. It failed with an "Operation not permitted". So I edited the webroot.py file, and commented out line 108 that said:

    # Remove execution bit (not needed for this file)
    os.chmod(path, filemode & ~stat.S_IEXEC)
It ran fine without root, sudo, or su.

Then I added this to nginx.conf:

    listen 443 ssl http2;
    ssl_certificate /usr/local/etc/letsencrypt/live/example.com/fullchain.pem
    ssl_certificate_key /usr/local/etc/letsencrypt/live/example.com/privkey.pem
It gets an A+ on ssllabs.com, and it works fine in the browser. When I click the lock it says "Let's Encrypt".



> They keep trying to push the idea that letsencrypt should be ran as root.

When you say it that way, it sounds like there's something untoward going on. ;)

From what I understand, the official client can bind to port 80 to do Basic HTTP verification. This requires root privs. The official client can also update many HTTP server config files. I guess you don't need to be root to do this, but it does remove a command line flag. LE is designed to be stupidly simple, but -as you've discovered- it does let more technical users run it in safer modes of operation.

> Except on my system the letsencrypt command did not work. It failed with an "Operation not permitted".

Odd. If I'm reading the code correctly, it looks like you have to have write and create privs to 'path', so it's odd that you wouldn't also be able to remove the execute bit.

Regardless, would you file a bug about this or -at least- bring it up on the mailing list? It's possible that this is user error, but if it's not, I expect that it's something the LE guys would like to hear about.


Actually... its chown that is failing, which is very logical: only root can do chown.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: