Dedicated user for letsencrypt

[perifer]

The Ansible role that is credited for the letsencrypt functionality, https://github.com/andreaswolf/ansible-role-letsencrypt, states in the Readme:

You can also adjust the user and group used for generating the certificates; there should be a dedicated user for this (recommended by the acme-tiny authors).

And from the Readme at https://github.com/diafygi/acme-tiny#permissions:

The biggest problem you'll likely come across while setting up and running this script is permissions. You want to limit access to your account private key and challenge web folder as much as possible. I'd recommend creating a user specifically for handling this script, the account private key, and the challenge folder. Then add the ability for that user to write to your installed certificate file (e.g. /path/to/chained.pem) and reload your webserver. That way, the cron script will do its thing, overwrite your old certificate, and reload your webserver without having permission to do anything else.

BE SURE TO:

*Backup your account private key (e.g. account.key)

• Don't allow this script to be able to read your domain private key!
• Don't allow this script to be run as root!

Looking at the letsencrypt role in Trellis these recommendations seems not to be followed, e.g the renewal cronjob is run as root.

[swalkinshaw]

Yeah I agree that would be an improvement. We'd obviously be open to a PR which addressed this if you're interested.