I would like to create a service account that does NOT have sudo access. Has anyone performed cert renewal using a non root user? I this possible?
I created a service account:
The purpose of this service account is to run the following commands:
service nginx restart
I gave the user access to the relevant nginx and certbot log directories using:
setfacl -m u:myServiceAccount:rwx myfolder
I also gave the user access to run the commands:
myServiceAccount ALL=(ALL) NOPASSWD: /etc/sbin/certbot
myServiceAccount ALL=(ALL) NOPASSWD: /etc/sbin/service
However, when I attempt the process I get the following:
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/[myDir]/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/[myDir]/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
Has anyone successfully done this before? Whats the strategy here?
I am running Ubuntu 12.
I believe the actual error from the four line of logs is the third line, you’ll need to give your user permission to access the /etc/letsencrypt/ folder so it could get all the certificate files.
Also, on the second line, the warning simply means you don’t need the user directive since you aren’t running nginx in root / sudo user.
P.S. If you are using certbot, it’s actually intended to run in root / super user, and you might be able to use acme.sh or something similar to run certificate issurance / renewals without super user / root access.(if the program have permission to access all the folder it need)
Thanks for the reply. You are right that I need to give the user access - I actually did, but for some reason it kept saying that error :/.
Regardless, I am looking for some high level guidance here. So I appreciate the note on certbot being intended for root. I will investigate acme.sh. Thank you.
Keeping this open to hear if others have implemented a satisfactory solution in the past.
Here is the solution I came up with.
Certbot indeed requires root/sudo access. So I switched to acme.sh and use the webroot method. Works great.
1.) created non root user
2.) gave user specific access to run certain commands
3.) installed acme.sh
4.) issued new certs using webroot method
5.) Switched nginx confix to use new certs
If you have questions about my implementation you can reach me at firstname.lastname@example.org or by checking out my 360 virtual tour software which uses these certs. Happy to help. Thanks and all the best.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.