Closed madoke closed 2 years ago
In the meantime, I found this https://certbot.eff.org/docs/using.html#where-are-my-certificates in certbot's documentation, which suggests that we can change ownership and permissions of the certificate folder after generating it and it will be preserved though renewals. The solution was quickly implemented with a post task to change permissions after running the role.
I have recently ran into a use case where i'd need a non root service to make use of certbot generated certificates. As you know,
/etc/letsencrypt/live
is access restricted, which makes it impossible to use by services which are unable to escalate privileges. It is also true that most of these services could be proxied bynginx
, but in the case that they can't (ipfs-cluster
in this case) for some weird reason, an alternative as suggested here: https://github.com/certbot/certbot/issues/7412 would be to use apost-hook
script that would copy the certificates to a different folder/user/group after generation.The support for hooks in this role is restricted to start/stop services, some customisability would be nice. I'll be glad to contribute if any of this makes sense.