Certbot : create acme file (and directory) as another user



Currently i do some test and have a working system using letencrypt on a apache-mpm-itk webserver.

With apache-mpm-itk : user for apache is set in the virtual host, then if i don’t update anything : the .well-know directory and content user/group is root:root : and my user don’t havec access to it : an 403 error happen.

Then , currently i use acl: setfacl -m d:u:username:rX /home/username/htdocs/www/

And after :

/root/bin/certbot-auto certonly \
--email me@example.net \
--user-agent letsencrypt \
--webroot \
-w /home/username/htdocs/www/ -d username.example.net

Did someone have another solution ?

I don’t found a merge request or issue about this on git repo, but maybe i didn’t search enough :slight_smile:

PS : using manual certbot on a Debian/Linux 7.


I’m not aware of a setting in certbot to change the owner of a file.

You could potentially set certbot up to run it as the user, then I think it will place the token as that user, however it would probably have a problem reloading apache, since the user won’t have that permission.

You could probably define a certbot user, which you use, and all the hosts have permission to read files from the certbot user ?

You could use one of the alternative clients - GetSSL (I’m biased because I wrote this script). with that you can define TOKEN_USER_ID though which will set the user who owns the token to whatever you set that to (and you can set it separately for each different certificate )


About : set user : right : ssl file need root access :slight_smile:
certbot user : why not, with the right to /etc/letsencryt. But have different user for apache-mpm-itk.

The only solution (except acl) seems to be

  • Add a new option in certbot-auto to ‘set the user’ for directory creation
  • Use different GetSSL cron script with different usage (but think have near same issue about /etc/ ! my web user’s have no write rights in this directory)

Think i stay in acl for now (i already have a lot of acl in this server), and look for alternative solution :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.