Ubuntu
python-certbot package

certbot service file is incomplete and has bad defaults

Bug #1886084 reported by Avamander
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-certbot (Ubuntu)
New
Undecided
Unassigned

Bug Description

For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.

If people use things `nginx` as their web server and proxy certbot, it also doesn't respect that dependency, it would be a good idea to leave a comment highlighting that.

Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.

Third issue is that the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be a bit more useful and less likely to interfere with any reasonable setups.

This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.

See original description
Avamander (avamander)
description: updated
description: updated
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.