Let's Encrypt
Garrett Wollman
wollman at bimajority.org
Tue Sep 10 01:44:52 UTC 2019
<<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas at mpeks.tomsk.su> said:
> Trond Endrestøl wrote:
>>
>> #minute hour mday month wday who command
>>
>> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> Is it safe to run certbot as root?
I can't speak to certbot (I currently use acmetool) but in general,
the thing that certbot does requires the ability to signal whatever
process is using the certificates, which is normally going to be a web
server but might be a mail server, name server, RADIUS server, or some
other application -- as shown in the example above. So if you don't
run it as root (probably smart) you'll need to find another way to
tell the TLS server application to reload its certificates when
needed.
-GAWollman
More information about the freebsd-security
mailing list