madoke
commented
3 years ago In the meantime, I found this https://certbot.eff.org/docs/using.html#where-are-my-certificates in certbot's documentation, which suggests that we can change ownership and permissions of the certificate folder after generating it and it will be preserved though renewals. The solution was quickly implemented with a post task to change permissions after running the role.
I have recently ran into a use case where i'd need a non root service to make use of certbot generated certificates. As you know,
/etc/letsencrypt/liveis access restricted, which makes it impossible to use by services which are unable to escalate privileges. It is also true that most of these services could be proxied bynginx, but in the case that they can't (ipfs-clusterin this case) for some weird reason, an alternative as suggested here: https://github.com/certbot/certbot/issues/7412 would be to use apost-hookscript that would copy the certificates to a different folder/user/group after generation.The support for hooks in this role is restricted to start/stop services, some customisability would be nice. I'll be glad to contribute if any of this makes sense.