The following steps should be taken only if you installed Certbot by using the certbot-auto script.
We were recently contacted by an individual concerned about the security implications of the certbot-auto configuration suggested by our configuration generator at https://certbot.eff.org/. Upon reviewing our documentation it was clear that due to the generic nature of it, the best practices regarding the file locations and permissions weren’t covered in it. The documentation has now been updated to address these issues and the change hopefully resulted in easier to follow instructions as well.
To ensure that your certbot-auto
deployment is secure, please follow the configuration checklist below.
-
Make sure that the directory path containing
certbot-auto
(which includes every directory accessed in the absolute path tocertbot-auto
) doesn’t allow writing for low privileged users.- This involves making sure that the directory path is owned by root and is not writable by other users.
- The installation path suggested in the revised documentation is
/usr/local/bin/certbot-auto
-
Ensure that the
certbot-auto
executable is owned by the root user.- The ownership change can be done by executing the command:
sudo chown root /path/to/certbot-auto
- The ownership change can be done by executing the command:
-
Make sure that the
certbot-auto
script itself doesn’t allow writing for low privileged users.- The permissions suggested by the revised documentation are
0755
, which allows reading and executing the file for all users, but limits write access to the file owner. - The permissions change can be done by executing the command:
sudo chmod 0755 /path/to/certbot-auto
- The permissions suggested by the revised documentation are
-
If you made any changes to the directory path of
certbot-auto
during the previous steps, adjust your cron job or systemd timer to address these changes.
By following the checklist above, you can ensure that the certbot-auto
executable cannot be changed by a low privileged user in between the scheduled renewal runs in the unfortunate case of said user account getting compromised.