Documentation give insecure advice

The documentation states that ceritificates are stored under /etc/letsencrypt, and that web servers should be configured to use these by symlinking.

In order for those symlinks to work, the http server’s configuration needs to be altered to disable chrooting, and have access to the entire / tree. This is generally pretty bad advice, and many less-knowing users will follow it, notice that disabling chroots is required, and do that as well.

The docs should really recommend some alternate method - the problem is, I haven’t seen if it’s possible to configure letsencrypt to use a different directory for live certificates.

I think there’s a configuration option for another directory, but I’m not sure. Just another note: Most less-knowing users won’t even chroot their server.

Most less-knowing users won’t even chroot their server.

Some distributions do this out of the box, so it’s no up to user knowledge.

Have you tried the --config-dir and --work-dir flags?

1 Like