fix ownership for the directory containing the generated cert

andreaswolf / ansible-role-letsencrypt

Ansible role for generating certificates with acme-tiny via Let’s encrypt

46 stars 20 forks source link

fix ownership for the directory containing the generated cert #10

Closed ludovicc closed 8 years ago

ludovicc commented 8 years ago

This is an attempt to fix ownership for the directory containing the generated cert.

See #5. I simply set the user running the script to be letsencrypt_default_key_owner (usually root). It works but it doesn't feel good to let the user run scripts as root. Do you have a better idea?

andreaswolf commented 8 years ago

The script should not run as root, as the certificate generation user should have access to the CSRs, but not the keys (explicitly stated in the Let’s encrypt docs IIRC).

My attempt is to fix the permissions of the certs dir, not change the user to someone with the permissions set by the OS. I’ll supply a patch for this.