Public bug reported: For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet.
If people use things `nginx` as their web server and proxy certbot, it also doesn't respect that dependency, it would be a good idea to leave a comment highlighting that. Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup. Third issue is that the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be a bit more useful and less likely to interfere with any reasonable setups. This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. ** Affects: python-certbot (Ubuntu) Importance: Undecided Status: New ** Description changed: For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet. Second issue is that it has `PrivateTmp=true`, it breaks such setups - where certbot's webroot is in `/tmp`, this is not a good default. + where certbot's webroot is in `/tmp`, this is not a good default. It is + a very common setup. Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups. ** Description changed: For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet. Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup. Third issue is that instead, the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be much more useful and less likely to interfere with any reasonable setups. + + This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. ** Description changed: For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet. Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup. - Third issue is that instead, the service lacks things like - `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening - flags, which would be much more useful and less likely to interfere with - any reasonable setups. + Third issue is that the service lacks things like `NoNewPrivileges=yes`, + `ProtectHome=yes` and other similar hardening flags, which would be a + bit more useful and less likely to interfere with any reasonable setups. This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. ** Description changed: For some reason, the certbot.service hasn't been marked with `After=network.target`, which can cause it to be triggered when there isn't network yet. + + If people use things `nginx` as their web server and proxy certbot, it + also doesn't respect that dependency, it would be a good idea to leave a + comment highlighting that. Second issue is that it has `PrivateTmp=true`, it breaks such setups where certbot's webroot is in `/tmp`, this is not a good default. It is a very common setup. Third issue is that the service lacks things like `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening flags, which would be a bit more useful and less likely to interfere with any reasonable setups. This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886084 Title: certbot service file is incomplete and has bad defaults To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1886084/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs