Certbot-auto deployment best practices

Help
1

The following steps should be taken only if you installed Certbot by using the certbot-auto script.

We were recently contacted by an individual concerned about the security implications of the certbot-auto configuration suggested by our configuration generator at https://certbot.eff.org/. Upon reviewing our documentation it was clear that due to the generic nature of it, the best practices regarding the file locations and permissions weren’t covered in it. The documentation has now been updated to address these issues and the change hopefully resulted in easier to follow instructions as well.

To ensure that your certbot-auto deployment is secure, please follow the configuration checklist below.

  1. Make sure that the directory path containing certbot-auto (which includes every directory accessed in the absolute path to certbot-auto) doesn’t allow writing for low privileged users.

    • This involves making sure that the directory path is owned by root and is not writable by other users.
    • The installation path suggested in the revised documentation is
      /usr/local/bin/certbot-auto

  2. Ensure that the certbot-auto executable is owned by the root user.

    • The ownership change can be done by executing the command:
      sudo chown root /path/to/certbot-auto

  3. Make sure that the certbot-auto script itself doesn’t allow writing for low privileged users.

    • The permissions suggested by the revised documentation are 0755, which allows reading and executing the file for all users, but limits write access to the file owner.
    • The permissions change can be done by executing the command:
      sudo chmod 0755 /path/to/certbot-auto

  4. If you made any changes to the directory path of certbot-auto during the previous steps, adjust your cron job or systemd timer to address these changes.

By following the checklist above, you can ensure that the certbot-auto executable cannot be changed by a low privileged user in between the scheduled renewal runs in the unfortunate case of said user account getting compromised.

5 Likes
Certbot-auto, letsencrypt-auto has insecure permissions
Certbot 0.34.0 Release
Certbot auto failed on Wordpress GCP installation
Certbot failing in AWS Elastic Beanstalk ngix extension
There were too many requests of a given type
Certbot-auto, letsencrypt-auto has insecure permissions
Certbot-auto has insecure permissions!
Certbot-auto fails / worked just fine until Dec '19
Error creating certificate
Challenge failed for domain
Have a problem with letsencrypt-auto
Your system is not supported by certbot-auto anymore
Site still missing the cert
Site still missing the cert
I can't cert my encrypt
Error creating certificate
Add certificate to my site when accessing without "www"
Challenge failed
Wildcard certificate support for non plugin DNS providers?
Timeout during connect (likely firewall problem, but there is no specific error that it is)
I have a paid domain on godaddy but i can't get cert for it from letsencrypt
Can't renew with certbot-auto; can't get instructions to install certbot
Certbot-auto has insecure permissions!
Certbot-auto has insecure permissions!
Certificate create issue python timeout error
I can't create certificate
I can't create certificate
Configuring issue
Timeout during cert renew - help
Failed Renew of ssl certificate using Google CLoud
Raspberry - is it possible to use Certbot without snapd?
Renewal Problem
When i use the phpstudy to get the ssl certificate it reported an error!
Renew SSL: Too many redirects
Problem with www
Certbot-auto fails / worked just fine until Dec '19
Renew certificate after expiry
Certificate Invalid
2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.