Hi,
Currently i do some test and have a working system using letencrypt on a apache-mpm-itk webserver.
With apache-mpm-itk : user for apache is set in the virtual host, then if i don’t update anything : the .well-know directory and content user/group is root:root : and my user don’t havec access to it : an 403 error happen.
Then , currently i use acl: setfacl -m d:u:username:rX /home/username/htdocs/www/
And after :
/root/bin/certbot-auto certonly \
--email me@example.net \
--user-agent letsencrypt \
--webroot \
-w /home/username/htdocs/www/ -d username.example.net
Did someone have another solution ?
I don’t found a merge request or issue about this on git repo, but maybe i didn’t search enough 
Thanks
PS : using manual certbot on a Debian/Linux 7.
I’m not aware of a setting in certbot to change the owner of a file.
You could potentially set certbot up to run it as the user, then I think it will place the token as that user, however it would probably have a problem reloading apache, since the user won’t have that permission.
You could probably define a certbot user, which you use, and all the hosts have permission to read files from the certbot user ?
You could use one of the alternative clients - GetSSL (I’m biased because I wrote this script). with that you can define TOKEN_USER_ID though which will set the user who owns the token to whatever you set that to (and you can set it separately for each different certificate )
About : set user : right : ssl file need root access
certbot user : why not, with the right to /etc/letsencryt. But have different user for apache-mpm-itk.
The only solution (except acl) seems to be
- Add a new option in certbot-auto to ‘set the user’ for directory creation
- Use different GetSSL cron script with different usage (but think have near same issue about /etc/ ! my web user’s have no write rights in this directory)
Think i stay in acl for now (i already have a lot of acl in this server), and look for alternative solution