remove usage of "acme" user, root does all the work
Recent versions of certbot need to be run as root, so there is no good reason to run it as an unprivileged user anymore.
This commit is contained in:
parent
6ae5157699
commit
fdbfc13d79
|
@ -11,6 +11,8 @@ This project does not follow semantic versioning.
|
|||
|
||||
### Changed
|
||||
|
||||
* remove usage of "acme" user, root does all the work
|
||||
|
||||
### Deprecated
|
||||
|
||||
### Removed
|
||||
|
|
19
evoacme.sh
19
evoacme.sh
|
@ -118,21 +118,21 @@ main() {
|
|||
[ "$1" = "-V" ] || [ "$1" = "--version" ] && show_version && exit 0
|
||||
|
||||
mkdir -p "${ACME_DIR}"
|
||||
chown acme: "${ACME_DIR}"
|
||||
chown root: "${ACME_DIR}"
|
||||
[ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable"
|
||||
|
||||
[ -d "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not found"
|
||||
|
||||
mkdir -p "${CRT_DIR}"
|
||||
chown acme: "${CRT_DIR}"
|
||||
chown root: "${CRT_DIR}"
|
||||
[ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable"
|
||||
|
||||
mkdir -p "${LOG_DIR}"
|
||||
chown acme: "${LOG_DIR}"
|
||||
chown root: "${LOG_DIR}"
|
||||
[ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable"
|
||||
|
||||
mkdir -p "${HOOKS_DIR}"
|
||||
chown acme: "${HOOKS_DIR}"
|
||||
chown root: "${HOOKS_DIR}"
|
||||
[ -d "${HOOKS_DIR}" ] || error "Directory ${HOOKS_DIR} is not found"
|
||||
|
||||
readonly VHOST=$(basename "$1" .conf)
|
||||
|
@ -195,7 +195,7 @@ main() {
|
|||
|
||||
[ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
|
||||
mkdir -p "${NEW_DIR}"
|
||||
chown -R acme: "${CRT_DIR}"
|
||||
chown -R root: "${CRT_DIR}"
|
||||
chmod -R 0700 "${CRT_DIR}"
|
||||
chmod -R g+rX "${CRT_DIR}"
|
||||
debug "New cert will be created in ${NEW_DIR}"
|
||||
|
@ -218,15 +218,14 @@ main() {
|
|||
CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email"
|
||||
fi
|
||||
|
||||
# Permissions checks for acme user
|
||||
sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'"
|
||||
sudo -u acme test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable by user 'acme'"
|
||||
# Permissions checks
|
||||
test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable"
|
||||
test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable"
|
||||
|
||||
# create a certificate with certbot
|
||||
# we disable the set -e during the certbot call
|
||||
set +e
|
||||
sudo -u acme \
|
||||
"${CERTBOT_BIN}" \
|
||||
"${CERTBOT_BIN}" \
|
||||
certonly \
|
||||
${CERTBOT_MODE} \
|
||||
${CERTBOT_REGISTRATION} \
|
||||
|
|
Loading…
Reference in a new issue