Skip to content
hashlash edited this page Jul 14, 2022 · 14 revisions


Do not use sudo if you cannot properly configure it.

Notice: This wiki is not complete yet.

Using sudo is not recommended. If not properly configured to not ask for password it may cause permission issues when running commands from the cronjob (like renew), resulting in some or all of your certificates not being renewed and eventually will expire.

If you need root, please su to root first, and then install and use it.

#uninstall for current user --uninstall

#change to root
sudo su

#install again for root user
curl | sh -s

#use it
bash --issue -d .....

Now, if you are completely sure of the issues and the possibilities with the usage of sudo and still want to use it, you can pass the --force parameter to work with sudo.


YMMV based on Linux distribution and method of installing

create non-root account

For this example, we use "acme" but you can use whatever you'd like.

sudo useradd -d  /etc/acme-sh/ -s /sbin/nologin -c "acme-sh service account" acme
sudo chown acme:mail /etc/acme-sh/

define crontab for non-root account

sudo su - -s /bin/bash acme
crontab -e

Adjust path to your installation script, insert into your non-root crontab

12 0 * * * /usr/share/ --cron --home "/etc/acme-sh" > /dev/null

Webserver issue method

When using the webserver method, you need to define the directories writes to and adjust ownership to our non-root account. While monitoring the issue event logs, you might observer additional file structure permission errors when ran as non-root. From our experiences, those can be ignored as the script does not hard fail as the important directories and files creation is functional. Maybe this is where the --force should be used?

sudo mkdir -p /var/www/EXAMPLE.COM/htdocs/.well-known/acme-challenge
sudo chown acme:acme /var/www/

nginx config

You probably already have a web daemon configuration file for your application. If you are running a mail server, you need a basic http port 80 server for

sudo $EDITOR /etc/nginx/conf.d/ 
server {
    listen [::]:80;
    listen 80;
    server_name EXAMPLE.COM;

    access_log /var/log/nginx/EXAMPLE.COM.access_log main;
    error_log /var/log/nginx/EXAMPLE.COM.error_log info;

    root /var/www/EXAMPLE.COM/htdocs;

Register and Issue

There are more detailed instructions within the documentation and wiki for this process. This is a brief example. --register-account -m --debug --issue -d -d -d -d -w /var/www/EXAMPLE.COM/htdocs


This grants our non-root service account super user rights to restart services during certificate renewals.

sudo visudo

Insert this line, adjust to your deployment use-cases and sudo version

acme ALL=(ALL:ALL) NOPASSWD: /etc/init.d/postfix restart, /etc/init.d/dovecot restart


Create a new directory which our non-root account can write certificates into.

sudo mkdir /etc/ssl/acme
sudo chown acme:acme /etc/ssl/acme

These restart commands should match what you defined in visudo above --installcert -d --keypath  /etc/ssl/acme/ --capath /etc/ssl/acme/ --fullchainpath /etc/ssl/acme/ --reloadcmd  "sudo /etc/init.d/postfix restart && sudo /etc/init.d/dovecot restart"

cleanup (optional)

Your distro might place a global bashrc script. This is not needed.

sudo rm /etc/bash/bashrc.d/
Clone this wiki locally