Certbot: Running without Administrator privileges on Windows

On Windows Certbot checks if the user an administrator and raises an exception if not.

Is the main use case of Administrator mode to make sure the user has the Windows API specific SeCreateSymbolicLinkPrivilege ?

This privilege may be assigned to the user running certbot in other ways, such as User Rights Assignment or handing the process an impersonation token.

Would the project accept a PR to instead of Raising during this check, to instead check the existence of SeCreateSymbolicLinkPrivilege? This will then on Windows match the FAQ statement that running certbot as root is optional.

2 Likes
2 Likes

Aside from the arguments in the other thread, the ACLs created and re-enforced on the folders and files every time Certbot runs give write rights only to the System and the Administrators group. certbot/filesystem.py at master · certbot/certbot · GitHub That would have to be modified to allow a specific non-administrator user to modify the files.

2 Likes

That's interesting. Do you know why the purpose of this instead of for example inheriting from the CreatorOwner?

To minimize the possibility of random applications or users being able to screw up or potentially compromise a very important aspect of the system configuration, of course, at least without elevation. Certbot is designed around the ideal of being a relatively turnkey application for beginners-to-middling users (although acme.sh can be both simpler and more flexible, arguably).

You could probably split it into two pieces, a root-requiring one that handles the certificates and a lower-rights side that does the network communication and writing to the web folder, but I think that's been tried a few times and never finished.

You could probably split it into two pieces, a root-requiring one that handles the certificates and a lower-rights side that does the network communication and writing to the web folder, but I think that's been tried a few times and never finished.

Thank you. The FAQ even seems to suggest it should be this way:

Whether root is required to run Certbot or not depends on how you intend to use it.

The end result story I hope for: One can run Certbot as an otherwise non-Administrator user, and have it successfully create / renew / write certificates and private keys to a directory on which one can apply one's choice of DACLs. If users want to use things like the --webroot option with privileged directories, it can continue to run as Administrator privileges.

In ran into a nasty user experience issue at the end of implementing the priv check: Unprivileged users don't see SeCreateSymbolicLinkPrivilege in an interactive desktop session of powershell.exe even though it's there when I run certbot using runas for the same user. Nor does the interactive session have privilege to assign privilege.

Just a quick shout out for the variety of ACME clients that were written for Windows specifically. Many run without needing admin privs unless you're doing stuff that would require it like importing certs into a privileged cert store.

And since you mentioned PowerShell, I would humbly recommend Posh-ACME as it's developer. Config data is stored in a folder within %LOCALAPPDATA% by default. But you can change that with a %POSHACME_HOME% environment variable and apply whatever permissions you'd like to that folder as long as the process running the module has write access.

2 Likes

@rmbolger Does Posh-ACME support using an http/s (forward) proxy for contacting ACME providers? I'm in a somewhat restricted environment that way. So cool to see DNS Alias challenge support!

It ultimately relies on the PowerShell's native proxy support for the web cmdlets which tends to vary a little between versions in my experience. There's no explicit proxy support within the module (at the moment). But generally if the proxy related environment variables are configured such that Invoke-RestMethod or Invoke-WebRequest work properly, Posh-ACME will work as well. An easy test is to query the main directory endpoint like this.

Invoke-RestMethod https://acme-v02.api.letsencrypt.org/directory
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.