Not a good solution. You must allow root-based access from one server to another. You can use SSH key, but it’s also not a very secure solution.
For you, perhaps.
Then use a different user.
How so?
Anyway, this user should have sudo permissions to
- write to the directory with certificates in / etc (or symlink)
- restart nginx
Currently the really best choice is to upload certificates to the home directory of this user, from which there will be a symlinks to /etc/ and setting something like inotify daemon to reload nginx when these files are changed.
Another solution is sshfs for certificates but the issue with the nginx restart/reload remains open.
An ssh key in authorized_keys can also restrict which commands a user authenticated through that key is allowed to run (maybe that was what you were referring to with “You can use SSH key, but it’s also not a very secure solution”).
1 Like