Certbot-auto deployment best practices

The following steps should be taken only if you installed Certbot by using the certbot-auto script.

We were recently contacted by an individual concerned about the security implications of the certbot-auto configuration suggested by our configuration generator at https://certbot.eff.org/. Upon reviewing our documentation it was clear that due to the generic nature of it, the best practices regarding the file locations and permissions weren’t covered in it. The documentation has now been updated to address these issues and the change hopefully resulted in easier to follow instructions as well.

To ensure that your certbot-auto deployment is secure, please follow the configuration checklist below.

  1. Make sure that the directory path containing certbot-auto (which includes every directory accessed in the absolute path to certbot-auto) doesn’t allow writing for low privileged users.

    • This involves making sure that the directory path is owned by root and is not writable by other users.
    • The installation path suggested in the revised documentation is
      /usr/local/bin/certbot-auto
  2. Ensure that the certbot-auto executable is owned by the root user.

    • The ownership change can be done by executing the command:
      sudo chown root /path/to/certbot-auto
  3. Make sure that the certbot-auto script itself doesn’t allow writing for low privileged users.

    • The permissions suggested by the revised documentation are 0755, which allows reading and executing the file for all users, but limits write access to the file owner.
    • The permissions change can be done by executing the command:
      sudo chmod 0755 /path/to/certbot-auto
  4. If you made any changes to the directory path of certbot-auto during the previous steps, adjust your cron job or systemd timer to address these changes.

By following the checklist above, you can ensure that the certbot-auto executable cannot be changed by a low privileged user in between the scheduled renewal runs in the unfortunate case of said user account getting compromised.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.