[luchs]

I'm a bit confused about the "non-root support" -- the (somewhat lengthy) setup manual absolutely seems to require root to set up users and directories in the root filesystem.

In contrast, the official client can absolutely work without having root access. You can install it locally (pip install --user letsencrypt) and change all working directories to paths your user can write to using a configuration file.

[hlandau]

Some people don't want to run a client as root because they don't want to increase their attack surface or don't trust the software to that extent. The purpose of the non-root manual is to allow people to take understandable steps as root to enable the client to operate not as root.

It should be possible to use the client without having root access, by passing --state (and perhaps --hooks) to use a state directory you control.

[luchs]

Ah, cool - I will try it then.

My motivation for not requiring root is shared hosting: I have a regular user witch access to an Apache webroot directory. They didn't fully automate Let's Encrypt, but they provide a script which installs certificates for the central webserver. So I have to download and run any ACME client myself to get my certificates.

[matt4077]

I believe this is regarding the renewal cronjob.