How to: Create a service account ONLY for certificate renewal

claytonrothschild · August 28, 2019, 3:57pm

Hi all,

I would like to create a service account that does NOT have sudo access. Has anyone performed cert renewal using a non root user? I this possible?

I created a service account: myServiceAccount

The purpose of this service account is to run the following commands:

certbot renew
service nginx restart

I gave the user access to the relevant nginx and certbot log directories using:

setfacl -m u:myServiceAccount:rwx myfolder

I also gave the user access to run the commands:

myServiceAccount ALL=(ALL) NOPASSWD: /etc/sbin/certbot
myServiceAccount ALL=(ALL) NOPASSWD: /etc/sbin/service

However, when I attempt the process I get the following:

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/[myDir]/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/[myDir]/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)

nginx: configuration file /etc/nginx/nginx.conf test failed

Has anyone successfully done this before? Whats the strategy here?

I am running Ubuntu 12.

stevenzhu · August 28, 2019, 4:23pm

Hi,

I believe the actual error from the four line of logs is the third line, you’ll need to give your user permission to access the /etc/letsencrypt/ folder so it could get all the certificate files.

Also, on the second line, the warning simply means you don’t need the user directive since you aren’t running nginx in root / sudo user.

P.S. If you are using certbot, it’s actually intended to run in root / super user, and you might be able to use acme.sh or something similar to run certificate issurance / renewals without super user / root access.(if the program have permission to access all the folder it need)

Thanks

claytonrothschild · August 28, 2019, 4:27pm

Thanks for the reply. You are right that I need to give the user access - I actually did, but for some reason it kept saying that error :/.

Regardless, I am looking for some high level guidance here. So I appreciate the note on certbot being intended for root. I will investigate acme.sh. Thank you.

Keeping this open to hear if others have implemented a satisfactory solution in the past.

claytonrothschild · August 28, 2019, 10:32pm

Hi all,

Here is the solution I came up with.

Certbot indeed requires root/sudo access. So I switched to acme.sh and use the webroot method. Works great.

Essentially I:
1.) created non root user
2.) gave user specific access to run certain commands
3.) installed acme.sh
4.) issued new certs using webroot method
5.) Switched nginx confix to use new certs

If you have questions about my implementation you can reach me at clayton@cloudpano.com or by checking out my 360 virtual tour software which uses these certs. Happy to help. Thanks and all the best.

system · September 27, 2019, 10:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.