Acme.sh: [Question] Could you elaborate about the "sudo" issues?

Created on 16 Aug 2019  ·  10Comments  ·  Source: acmesh-official/acme.sh

Hello,

I am recently facing issues for using acme.sh with sudo. I understand there should be a good reason, but it just results in a little conflict with the nature of acme.sh.

Would be nice if someone could explain, as it is not clear for me and probably many others, why using sudo is not good but doing it directly after sudo su is right?

Some times we want to install certs or even renew or issue certs in "protected" locations, like /var/www or the Nginx folder (to install certs, for example /etc/nginx/certs).

So after we cannot use sudo, we will be forced to install acme.sh to the root user or provide permissions to that "protected" locations to the specific user who installed acme.sh. Basically, we are forced to use acme.sh as the roo users, because even when we bring permissions to another user over different locations, it is a headache to make working the Nginx or Apache command to reload the service after a certificate installation.

Can someone bring us a guide to how is the correct/secure way to handle this so? And why is using sudo so problematic for this? I would be glad to add these details to the Wiki once it gets clear.

Thank you very much in advance.

picture JuanDMeGon
👍1

Most helpful comment

@nest-7

The change only affects when you execute acme.sh by your hand from command line. The cronjob will not be affected.
Which means all the existing sites will not be affected, but just for new users who use sudo.

picture Neilpang on 16 Aug 2019
👍2 🎉1

All 10 comments

You broke my website and gave a link to a one sentence shit explanation. Not cool. Agreed there may be good reasons but you haven't given any. Don't break things without an explanation.

I am using sudo -u acme and you almost certainly don't want to be triggering in that circumstance.

Edit: OK looking at the code apparently you do but I have no idea why. Again, explanation please.

za3k picture za3k on 16 Aug 2019

I agree. This can potentially avoid any cert to get renewed or installed in the server, causing a massive issue for several of the users of this project. I think @Neilpang could re-think this slowly or bring a way to sort this our correctly. I am afraid this is causing more damage than benefits.

JuanDMeGon picture JuanDMeGon on 16 Aug 2019

https://github.com/Neilpang/acme.sh/pull/2437/commits/5bdfdfefbebd7ee4f95f7009947f56a25db07c4a
OK well for now I've changed it manually and turned off autoupdate

za3k picture za3k on 16 Aug 2019
👍1

This can break many site configurations and the only explanation you gave was that Do not use sudo, really?

nest-7 picture nest-7 on 16 Aug 2019

sorry, the wiki is not updated yet.

I will update it later.

Most of the people use sudo by mistake.

you could use sudo by your hand, but there is no sudo in the cronjob. So, probably the --issue command succeed by your hand with sudo, but the renew in the cronjob will fail.
Most people are not aware of this fact, and they will only notice the failure after 90 days.
The website will be down without any note.

that's why sudo is forbidden by default, which makes sure that if --issue successes, the renew in cronbjob must also success.

If you are sure you want to use sudo, you can add --force paramerter. but you are on the risk.

Neilpang picture Neilpang on 16 Aug 2019
1 🎉1

@nest-7

The change only affects when you execute acme.sh by your hand from command line. The cronjob will not be affected.
Which means all the existing sites will not be affected, but just for new users who use sudo.

Neilpang picture Neilpang on 16 Aug 2019
👍2 🎉1

Ohhh, so I had been getting a weird behavior, as I had been using acme.sh for years (with sudo) and never had issues with the renewal of any of those certificates, why could that be? Am I missing something?
In my opinion, if people use sudo or not, as you say, is by their own risk and a warning or similar may help, but stoping the execution at all seems too much.
I can confirm that using --force works perfectly, but using, just as an example, sudo acme.sh --list --force, seems a little weird.
@Neilpang thank you so much for replying and giving an alternative with the --force. I Would like to know your thoughts about my comments.

JuanDMeGon picture JuanDMeGon on 16 Aug 2019

@za3k you use a free service from the amazing work of someone else, and dare be rude?
Get some decency, dude.

FernandoMiguel picture FernandoMiguel on 16 Aug 2019

Sorry for giving you a hard time Neil. Every server I run broke at once
and it was hot =/ but still rude. Thanks for writing acme.sh

On 2019-08-16 00:00, Fernando Miguel wrote:

@za3k [1] you use a free service from the amazing work of someone
else, and dare be rude?
Get some decency, dude.

--
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub [2], or mute the
thread [3].

Links:

[1] https://github.com/za3k
[2]
https://github.com/Neilpang/acme.sh/issues/2446?email_source=notifications&email_token=AAFRLUUO46AAR32LCW6U4DLQEZF77A5CNFSM4IMCIIQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4N27AY#issuecomment-521908099
[3]
https://github.com/notifications/unsubscribe-auth/AAFRLUSHE2O4ZX4JN4IWC23QEZF77ANCNFSM4IMCIIQA

za3k picture za3k on 16 Aug 2019

see this wiki page, I will update the page soon.

https://github.com/Neilpang/acme.sh/wiki/sudo

Neilpang picture Neilpang on 18 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

FernandoMiguel picture FernandoMiguel  ·  5Comments
p3x-robot picture p3x-robot  ·  5Comments
AriaLyy picture AriaLyy  ·  5Comments
haiopaii picture haiopaii  ·  3Comments
mskian picture mskian  ·  3Comments