[Cryptography] letsencrypt.org

John Levine johnl at iecc.com
Sun Sep 17 06:13:40 EDT 2017


In article <20170914162618.GL31762 at io.lakedaemon.net> you write:
>> Mine doesn't, it does everything as a low privilege user and then has sudo
>> privileges to restart apache.

Same here.  The certs and keys go into a folder that belongs
to the acme user that apache can read.  There's a similar setup
for the smtp and imap and pop servers.

>So the certificate and keys are readable and writable by this
>low-privilege user?

Well, yeah, that's how LE works.  It generates the keys and CSRs
automatically.  The user's files aren't readable by any other user and
it doesn't do anything but create and renew certs and doesn't allow
outside login so I don't see it as weaker than any other
software-based way to manage certs.

R's,
John



More information about the cryptography mailing list