standalone mode fails when certbot_auto_renew_user is different than root

[weakcamel]

OS: Ubuntu Bionic (18.04)

Scenario:

• I need to generate a certificate for use by PostgreSQL hence I set certbot_auto_renew_user to postgres
• earlier in my playbook, I provision the postgres user's home directory with .aws credentials (I'm using Route53 for DNS)

What happens next is:

TASK [geerlingguy.certbot : Generate new certificate if one doesn't exist.] ********************************************************************************************************************************
fatal: [myhost.lab.example.com]: FAILED! => changed=true
  cmd: certbot certonly --dns-route53 --noninteractive --agree-tos --email myteam@example.com -d myhost.lab.example.com
  delta: '0:00:02.041600'
  end: '2022-08-17 17:04:38.234402'
  msg: non-zero return code
  rc: 1
  start: '2022-08-17 17:04:36.192802'
  stderr: |-
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator dns-route53, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for myhost.lab.example.com
    Cleaning up challenges
    Unable to locate credentials
    To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.
  stderr_lines: <omitted>
  stdout: |-
    IMPORTANT NOTES:
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
  stdout_lines: <omitted>

That's because this task runs as root and certbot script doesn't see the credentials which were set up in ~postgres/.aws.

I thought I'll solve that by running geerlingguy.certbot role with

- name: Install and configure certbot
  become: true
  become_user: "{{ certbot_auto_renew_user }}"
  ansible.builtin.import_role:
    name: geerlingguy.certbot

but that unfortunately fails when certbot role tries to install a Debian package (as it's not root).

[stale[bot]]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[weakcamel]

Stilll an issue so bumping this up. Not sure if I'll be able to provide a PR for this, but I still might ;-)

[stale[bot]]

This issue is no longer marked for closure.

[stale[bot]]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[github-actions[bot]]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.