|
|
|
|
|
|
by djsumdog
3171 days ago
|
|
|
IIRC, the last time I set it up, I stuck HAProxy in front so I could still send ACME requests to certbot, but didn't have to have it running as root. If you put its user in the HAProxy group, it can write the certs as 640. If you want to be really secure, you create SELinux or Apparmor policies as well. |
|
|
As a bonus, you can have zero downtime renewals and use the TLS-SNI challenge, rather than relying on the "it's probably safe but it still feels wrong" http challenge.