Letsencrypt asks for root password? Where to find good client documentaion?


#1

Hi,
I would like to use letsencrypt as soon as it is public beta to replace my self-signed certificate. So I thought maybe try to find out how it works before I’m actually using it on a server.

  1. I cloned and started it and I was shocked: I was asked for my root password and not even a reason was stated! As it was just a desktop live-cd system I didn’t care but on a real server I would never do that. Without any further question it installed additional packages. Automation is nice, but a program that installs something without asking, is - simply speaking - rude. If you want a program to behave like that you normally set a switch like --force-yes
    I really like your initiative and don’t want to offend anybody, but why don’t you just print a message like:
    “letsencrypt cannot run because some software is missing, you can install it by calling:
    apt-get install [package names]”. That would be nice.
    Asking for a root password is in IMHO a no-go. If a program needs root-access for some reason should be run as root and not ask for root password. And I was only running --help…
  2. Unfortunately I still could not find out how it really works. Maybe I just couldn’t find the right documentation, but what I basically find is it’s super-simple you just have to call letsencrypt-auto and it will do everything for you including server configuration. I do not like that kind of simple. I like to understand what is going on.
    How I would like the letsencrypt client to work: Every 90 days it is called by cron, it sends the CSR I generated to letsencrypt, it sets up it’s own server on some weird port (to not interfere with the webserver), letsencrypt server verifies I’m in control of the domain, sends back the signed certificate, the client replaces the old certificate and that’s it for 90 days. That’s what I would consider simple. Is it possible to run letsencrypt like that?
    Best regards
    Stefan

#2
  1. For those who know, they can just read the bootstrap.sh files and be pretty sure it is clean and safe to give root access, but I completely agree that it shouldn’t be asking for it at all. It should, like any other sane *nix program, attempt to do whatever it needs to do and FAIL WITH AN ERROR CODE if some operation is not possible.

  2. Look up the webroot auth method. It allows the client to put it’s ACME challenge response in a file so your already-running server can serve it. e.g., in nginx, include something like the following and set the webroot options to letsencrypt appropriately. See Using the webroot domain verification method

location /.well-known/acme-challenge {
    alias /var/www/letsencrypt;
    index index.html;
    location = /.well-known/acme-challenge {
    try_files $uri $uri/ =444;
}

#3

while webroot method doesn’t touch existing web server, the software dependencies for the letsencrypt client DO require root access to install i.e. yum or apt packages like python etc

indeed i agree, although never came across this with letsencrypt as I always ran as root user in the first place as I knew those software dependencies and web server do require root access to play with.

i use letsencrypt via webroot authentication plugin Letsencrypt Webroot Authentication Tested on Beta invited/whitelisted domain and Using the webroot domain verification method

my current LE integration progress https://community.centminmod.com/posts/20305/


#4

Thanks for your fast replies, webroot seems to be a really good way. Is it documented somewhere? Like is there complete documentation of all switches and parameters in command-line and config file? All I can find is examples and guides for certain configurations, but not a real documentation to see all possibilities. In --help webroot is not mentioned at all, only apache and standalone.

I had the system running for a few hours and now after first install letsencrypt wants root access again?? What is it doing? It doesn’t tell me. I do not want any kind of program running on real web system that auto-updates itself or even other software on the system, as there is a good chance of breaking something. I’m sorry to say that, but currently the behavior of the letsencrypt client makes it not very trustworthy. How can I run letsencrypt without the need of root access? Using webroot it just needs write access to the certificate and a subfolder inside the webroot, so not root access needed.
For me it seems the inventors wanted to create a software as dummy-friendly as possible and forgot all the users that have at least basic knowledge of the system they administrating. And honestly, unencrypted web-traffic is not the biggest security concern if the administrator is unable to install some software package with apt-get or whatever his distribution uses.


#5

[quote=“stefan_o, post:4, topic:3782”]
Like is there complete documentation of all switches and parameters in command-line and config file? All I can find is examples and guides for certain configurations, but not a real documentation to see all possibilities. In --help webroot is not mentioned at all, only apache and standalone.
[/quote]unfortunately documentation that extensive doesn’t exist ?? @kelunik @jsha ?

[quote=“stefan_o, post:4, topic:3782”]
I had the system running for a few hours and now after first install letsencrypt wants root access again?? What is it doing?
[/quote]what commands or actions you doing to prompt for root access again ? unfortunately i run as root user on headless CentOS only so never have such issues.


#6

[quote=“eva2000, post:5, topic:3782”]
what commands or actions you doing to prompt for root access again ? unfortunately i run as root user on headless CentOS only so never have such issues.
[/quote]All I did was “letsencrypt-auto --help” to look for the webroot options.


#7

I found the immediate request for my sudo password after running letsencrypt-auto to be very odd and off-putting as well, the first time I tried to run it.

It looks like letsencrypt-auto always tries to verify and/or install the correct environment, including external package dependencies, every time it is run. At least on Debian systems, the bootstrap.sh uses apt-get to do the package check, and apt-get requires root level access. Because letsencrypt-auto is doing that environment check every time before it calls letsencrypt, even something as simple as requesting ‘–help’ though letsencrypt-auto ends up requiring root access.

Its not clear to me from the beta instructions if I’m supposed to be running letsencrypt-auto every time or not. Is letsencrypt-auto meant to be more of a one time installer program for the letsencrypt command, akin to running ‘make install’ after a build? It seems like its not the kind of command that one would want to run unattended, given the level of access it has to make system level changes.

Anyway, after going through the scripts to figure out what they were trying to do, I did let letsencrypt-auto run with root, and after some additional packages were installed, everything went swimmingly. VERY COOL PROJECT! :yum:


#8

could be difference, i only run letsencrypt-auto 1st time https://community.centminmod.com/threads/letsencrypt-free-ssl-certificates-with-web-root-authentication-method.4635/

for actual certificates i run letsencrypt command - for example

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth

#9

I guess if the docs had said, “You need to run letsencrypt-auto installer one time as root to install packages and set up the environment, and then run letsencrypt with appropriate permissions when you need to renew”, I wouldn’t have given it a second thought.

I understand this is a dev beta. Is the plan ultimately to make letsencrypt install onto the system under /usr/bin or somewhere other than in a user .local directory?