Setup NGINX to not run as Root

[krisdthompson]

No docker image should be run as Root as it gives underlying user access to the host file system (as root is root).

However, Certbot wants to be root. We can work around this. https://community.letsencrypt.org/t/certbot-must-be-run-as-root-but-i-need-it-to-create-the-files-with-a-different-owner/151376

While it's not recommended nor officially supported, it should also be possible to run certbot as a non-root user by either change ownership of the --work-dir , --logs-dir , and --config-dir (by default these are /var/lib/letsencrypt , /var/log/letsencrypt , and /etc/letsencrypt respectively) or set those three directories to other, non-root owned custom directories. See User Guide — Certbot 2.7.0.dev0 documentation 52 for more info about --deploy-hook and the three directory options I just mentioned.

[krisdthompson]

why is this "not recommended nor officially supported"?

Here be the docs:

• https://eff-certbot.readthedocs.io/en/latest/using.html

[krisdthompson]

error on Certbot build

Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.