Do renewal hooks run as root in certbot?

Volper · July 27, 2023, 11:20am

The Certbot User Guide gives this example:

sudo sh -c 'printf "#!/bin/sh\nservice haproxy stop\n" > /etc/letsencrypt/renewal-hooks/pre/haproxy.sh'
sudo sh -c 'printf "#!/bin/sh\nservice haproxy start\n" > /etc/letsencrypt/renewal-hooks/post/haproxy.sh'
sudo chmod 755 /etc/letsencrypt/renewal-hooks/pre/haproxy.sh
sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/haproxy.sh

I'm using systemctl to restart my services. Will it run as root? Or do I need to set up permissions somehow so that Certbot can run systemctl restart? I haven't had my certificate renewed yet and if I try to do --dry-run it tells me port 80 is taken so I don't know exactly what's going to happen when Certbot tries to run the renewal hook.

Osiris · July 27, 2023, 12:02pm

Should run as the same user as Certbot.

Perhaps there's too little time between the stop command and the attempt to start the standalone authenticator? You might want to add a delay perhaps? Or at least try that.

MikeMcQ · July 27, 2023, 1:52pm

As a warning I have never used HAProxy

But, there is a nice blog at HAProxy about using the acme.sh ACME client to avoid having to stop/start HAProxy.

Of course, I don't know if this is useful to you. But, I generally prefer any solution which avoids downtime to the server.

PS: I also moved your thread to the Help section

Volper · July 27, 2023, 2:11pm

I do not use HAProxy. I have my own services to start and stop instead (this was just an example from the User Guide).

Volper · July 27, 2023, 2:11pm

So should I put certbot to sudoers and allow him to run only systemctl as sudo?

Osiris · July 27, 2023, 2:17pm

Usually Certbot is ran as root as a whole. See Frequently Asked Questions | Certbot.

system · August 26, 2023, 2:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.