-
For those who know, they can just read the bootstrap.sh files and be pretty sure it is clean and safe to give root access, but I completely agree that it shouldn’t be asking for it at all. It should, like any other sane *nix program, attempt to do whatever it needs to do and FAIL WITH AN ERROR CODE if some operation is not possible.
-
Look up the webroot auth method. It allows the client to put it’s ACME challenge response in a file so your already-running server can serve it. e.g., in nginx, include something like the following and set the webroot options to letsencrypt appropriately. See Using the webroot domain verification method
location /.well-known/acme-challenge { alias /var/www/letsencrypt; index index.html; location = /.well-known/acme-challenge { try_files $uri $uri/ =444; }