search

interbrite / letsencrypt-vesta

Automate Let's Encrypt Certificate Installation for VestaCP
Other
217 stars 64 forks source link

vestacp crashing on cert request and letsencrypt-vesta only works if logged into ssh as root #34

Closed QueRoxa closed 3 years ago

QueRoxa commented 8 years ago

I've written a web interface so clients can auto request an ssl cert. I have to create an ssh instance to be able to run the script. The problem with this is that once it runs, it crashes vestacp (which inturn causes apache to become non responsive.) Manually restarting vestacp resolves this. But it should not crash vesta in the first place. Any thoughts?

Second, I cannot run letsencrypt-vesta as anything other than logging into ssh as root. sudo on another user does not work, Enabling the script to be run as sudo [user] without a password does not work either. I get either these errors: Warning: [user] is not a valid Vesta user account. Error: No valid users specified. (I know full well this user does indeed exist)

or (an)other error(s) which are vestacp errors detailing about (a) script(s) not existing. I currently can't remember how to replicate it but if I do I'll come back and edit.

Any ideas on either of these?

jpitoniak commented 8 years ago

I wouldn't be able to comment on why your web interface crashes Vesta without seeing what you've implemented, so I can't really lend any suggestions on that part.

As for sudo, letsencrypt-vesta will only work when run as root. This is by design, because the Vesta command line tools, which letsencrypt-vesta relies on, are intended to be run as root. If you wanted to let non-root users use letsencrypt-vesta, you could set up your sudoers file to allow everyday users to run the command, but then you'd have no way to enforce that users are only requesting certs for the sites they own, as letsencrypt-vesta doesn't do any user-level validation.

It does sound like you're on the right track with the web interface, though. The best way to do it would be to do user-to-site validation in the web script and then allow the site's user ID to run the letsencrypt-vesta script with sudo and no password AFTER it's done the work to validate the requester. Vesta's default behavior is to run web scripts under the UID of the account that owns them, so there's no need to start a separate SSH process. (This is essentially what's going on with the main Vesta web interface: end users may changes via the web and the web scripts use sudo to gain root level privs to make system changes when necessary.)

You could also write a command-line script that does the user validation and give users sudo NOPASSWD privs to run that. That script would be able to call letsencrypt-vesta (because it's running as root), but end users wouldn't be able to call letsencrypt-vesta directly.