Certbot must check read access for web-server user on renewal


#1

The certbot 0.28.x renewal process uses several files and directories outside the web-server’s reachability. So the web-servers config gets rewritten to direct authentication requests to those places. If the web-server’s user (i.e. www-data) cannot access those places due to file system restrictions, the requests fail.

See: Certbot renew stopped working at all

TODO: Determine the web-servers runtime user and check whether access is granted.

THX a lot!