After installing certbot (version 3.0.1) via snap on Ubuntu 24.04, and running certbot certonly ..., I noticed the message:
Certbot has set up a scheduled task to automatically renew this certificate in the background.
I specifically ran the certbot command as a non-root user for a reason. However, I noticed that the systemd service and timer are both configured to run as the root user.
Can this be changed such that when not using the root account, that it uses the current user running the program as the User= and users group as the Group= in the service that is created?
That's because the scheduled task was already implemented at installation time, not when you ran the certbot command as a user.
I'm not familiar with systemd timers nor with snap so I can't answer that question.
That said, the Feature Requests category is for Let's Encrypt service feature requests and as Certbot is not such a thing (it's developed by the EFF since a very long time now), I'm going to move this to Client dev, although maybe Help in general would be more applicable..
My apologies for putting this in the wrong category.
I changed the /etc/systemd/system/snap.certbot.renew.service file to contain:
User=certmgr
Group=certmgr
And this appeared to fix the issue. Sadly, I had ignored the comment, # Auto-generated, DO NOT EDIT and when I rebooted the system, it reverted back to not having those lines.
There needs to be a way to change this, or maybe even to not have that configured as part of the install, if it isn't desired for that system.
Thank you for the quick response! That was awesome.
I'm not sure it can be changed that easily. The timer is part of the snap package and is enabled in the Certbot snapcraft.yaml.
Certbot itself was never designed to be run by anything else than root, even though it's possible. You could try opening an issue at Issues · certbot/certbot · GitHub, if there isn't one there already, but I'm not sure if it would help you.
Thanks!