| 2020-07-02 18:24:34 |
Avamander |
bug |
|
|
added bug |
| 2020-07-02 18:24:47 |
Avamander |
description |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default.
Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups. |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups. |
|
| 2020-07-02 18:26:16 |
Avamander |
description |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups. |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. |
|
| 2020-07-02 18:27:50 |
Avamander |
description |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be a bit more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. |
|
| 2020-07-02 18:28:40 |
Avamander |
description |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be a bit more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. |
For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
If people use things `nginx` as their web server and proxy certbot, it also doesn't respect that dependency, it would be a good idea to leave a comment highlighting that.
Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup.
Third issue is that the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be a bit more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. |
|
