[Cryptography] letsencrypt.org
Robin Wood
robin at digi.ninja
Thu Sep 14 12:30:37 EDT 2017
On Thu, 14 Sep 2017 at 17:26 Jason Cooper <cryptography at lakedaemon.net>
wrote:
> Hi Robin,
>
> On Thu, Sep 14, 2017 at 01:30:28PM +0000, Robin Wood wrote:
> > On Wed, 13 Sep 2017 at 23:08 Jason Cooper <cryptography at lakedaemon.net>
> wrote:
> > > It's extremely useful, with the caveat that certificates are only valid
> > > for 90 days (by design), and require admin privileges to install.
> > >
> > > To maximize it's usefulness, it's worth the time investment to set up a
> > > cron job to automatically renew the certs. Note that this must run as
> > > root (admin).
> > >
> >
> > Mine doesn't, it does everything as a low privilege user and then has
> sudo
> > privileges to restart apache.
>
> So the certificate and keys are readable and writable by this
> low-privilege user?
>
The CSR is readable, the certificate read/writable, it doesn't need access
to the private key.
I could make the certificate write only but allowed it to be read so I
could check how long it had left before it expired so I could trigger a
renewal in the last 7 days of its life. I could work around this but didn't
see the need.
Robin
>
> thx,
>
> Jason.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170914/fa27412c/attachment.html>
More information about the cryptography
mailing list