Do renewal hooks run as root in certbot?

The Certbot User Guide gives this example:

sudo sh -c 'printf "#!/bin/sh\nservice haproxy stop\n" > /etc/letsencrypt/renewal-hooks/pre/'
sudo sh -c 'printf "#!/bin/sh\nservice haproxy start\n" > /etc/letsencrypt/renewal-hooks/post/'
sudo chmod 755 /etc/letsencrypt/renewal-hooks/pre/
sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/

I'm using systemctl to restart my services. Will it run as root? Or do I need to set up permissions somehow so that Certbot can run systemctl restart? I haven't had my certificate renewed yet and if I try to do --dry-run it tells me port 80 is taken so I don't know exactly what's going to happen when Certbot tries to run the renewal hook.

Should run as the same user as Certbot.

Perhaps there's too little time between the stop command and the attempt to start the standalone authenticator? You might want to add a delay perhaps? Or at least try that.

1 Like

As a warning I have never used HAProxy :slight_smile:

But, there is a nice blog at HAProxy about using the ACME client to avoid having to stop/start HAProxy.

Of course, I don't know if this is useful to you. But, I generally prefer any solution which avoids downtime to the server.

PS: I also moved your thread to the Help section


I do not use HAProxy. I have my own services to start and stop instead (this was just an example from the User Guide).

So should I put certbot to sudoers and allow him to run only systemctl as sudo?

Usually Certbot is ran as root as a whole. See Frequently Asked Questions | Certbot.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.