Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running acme.sh as a service user (SUDO Warning) #3250

Closed
BlackthornYugen opened this issue Nov 9, 2020 · 1 comment
Closed

Running acme.sh as a service user (SUDO Warning) #3250

BlackthornYugen opened this issue Nov 9, 2020 · 1 comment

Comments

@BlackthornYugen
Copy link

I have acme.sh running as a service user (svc_acme). Sometimes I like to switch to that user to check on it, but I am currently forced to unset SUDO_USER before using acme.sh. Do we want to give the warning when userA runs acme.sh as userB?

use case

switch to service user

[john@example.dev]$ sudo su svc_acme --shell /usr/bin/bash

fail to list certificates

[svc_acme@example.dev]$ acme.sh --list
It seems that you are using sudo, please read this link first:
https://github.com/acmesh-official/acme.sh/wiki/sudo

sudo vars

[svc_acme@example.dev]$ env | grep SUDO
SUDO_USER=john
SUDO_UID=1001
SUDO_COMMAND=/bin/su svc_acme --shell /usr/bin/bash
SUDO_GID=1001

sudo is not recommended

The wiki page says that "Remember: Using sudo is not recommended" but I feel like this should be a responsible way to use acme.sh. I can give the acme user the ability to create any certificates I need, and then use file permissions to allow services access to only the certs they need. IE:

/home/svc_acme/.acme.sh/haproxy.example.dev svc_acme:haproxy 640
/home/svc_acme/.acme.sh/nginx.example.dev   svc_acme:nginx   640
@BlackthornYugen BlackthornYugen changed the title Running acme as a service user (SUDO Warning) Running acme.sh as a service user (SUDO Warning) Nov 9, 2020
@BlackthornYugen
Copy link
Author

Thanks so much! Works on my machine now. :)

[svc_acme@cent john]$ acme.sh --upgrade
It seems that you are using sudo, please read this link first:
https://github.com/acmesh-official/acme.sh/wiki/sudo

[svc_acme@cent john]$ unset SUDO_USER
[svc_acme@cent john]$ acme.sh --version
v2.8.6

[svc_acme@cent john]$ acme.sh --upgrade
[Tue Dec  1 11:35:10 EST 2020] Installing from online archive.
[Tue Dec  1 11:35:10 EST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Tue Dec  1 11:35:11 EST 2020] Extracting master.tar.gz
[Tue Dec  1 11:35:11 EST 2020] Installing to /home/svc_acme/.acme.sh
[Tue Dec  1 11:35:11 EST 2020] Installed to /home/svc_acme/.acme.sh/acme.sh
[Tue Dec  1 11:35:11 EST 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Dec  1 11:35:12 EST 2020] OK
[Tue Dec  1 11:35:12 EST 2020] Install success!
[Tue Dec  1 11:35:12 EST 2020] Upgrade success!

[svc_acme@cent john]$ acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.8

[svc_acme@cent john]$ exit
exit
➜  ~ sudo su svc_acme --shell /usr/bin/bash

[svc_acme@cent john]$ acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.8

[svc_acme@cent john]$ acme.sh --upgrade
[Tue Dec  1 11:35:55 EST 2020] Already uptodate!
[Tue Dec  1 11:35:55 EST 2020] Upgrade success!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BlackthornYugen