Public bug reported:
For some reason, the certbot.service hasn't been marked with
`After=network.target`, which can cause it to be triggered when there
isn't network yet.
If people use things `nginx` as their web server and proxy certbot, it
also doesn't respect that dependency, it would be a good idea to leave a
comment highlighting that.
Second issue is that it has `PrivateTmp=true`, it breaks such setups
where certbot's webroot is in `/tmp`, this is not a good default. It is
a very common setup.
Third issue is that the service lacks things like `NoNewPrivileges=yes`,
`ProtectHome=yes` and other similar hardening flags, which would be a
bit more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
** Affects: python-certbot (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
For some reason, the certbot.service hasn't been marked with
`After=network.target`, which can cause it to be triggered when there
isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups
- where certbot's webroot is in `/tmp`, this is not a good default.
+ where certbot's webroot is in `/tmp`, this is not a good default. It is
+ a very common setup.
Third issue is that instead, the service lacks things like
`NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening
flags, which would be much more useful and less likely to interfere with
any reasonable setups.
** Description changed:
For some reason, the certbot.service hasn't been marked with
`After=network.target`, which can cause it to be triggered when there
isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups
where certbot's webroot is in `/tmp`, this is not a good default. It is
a very common setup.
Third issue is that instead, the service lacks things like
`NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening
flags, which would be much more useful and less likely to interfere with
any reasonable setups.
+
+ This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
** Description changed:
For some reason, the certbot.service hasn't been marked with
`After=network.target`, which can cause it to be triggered when there
isn't network yet.
Second issue is that it has `PrivateTmp=true`, it breaks such setups
where certbot's webroot is in `/tmp`, this is not a good default. It is
a very common setup.
- Third issue is that instead, the service lacks things like
- `NoNewPrivileges=yes`, `ProtectHome=yes` and other similar hardening
- flags, which would be much more useful and less likely to interfere with
- any reasonable setups.
+ Third issue is that the service lacks things like `NoNewPrivileges=yes`,
+ `ProtectHome=yes` and other similar hardening flags, which would be a
+ bit more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
** Description changed:
For some reason, the certbot.service hasn't been marked with
`After=network.target`, which can cause it to be triggered when there
isn't network yet.
+
+ If people use things `nginx` as their web server and proxy certbot, it
+ also doesn't respect that dependency, it would be a good idea to leave a
+ comment highlighting that.
Second issue is that it has `PrivateTmp=true`, it breaks such setups
where certbot's webroot is in `/tmp`, this is not a good default. It is
a very common setup.
Third issue is that the service lacks things like `NoNewPrivileges=yes`,
`ProtectHome=yes` and other similar hardening flags, which would be a
bit more useful and less likely to interfere with any reasonable setups.
This exists on Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1886084
Title:
certbot service file is incomplete and has bad defaults
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1886084/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
