Score:1

Renew Let's Encrypt without root access

in flag

I'm in a peculiar and unfortunate situation where our network administrator suddenly passed away and no one was prepared for taking over the server management. We have an internal Linux VM that runs client-facing APIs and I just received notice that the Let's Encrypt SSL will expire on 7/1/2021.

I am not sure if the network admin set it to auto-renew... There is no mention of certbot in the "normal" crontab (accessed by crontab -e), but there is the following in /etc/cron.d/certbot:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Note: I am not familiar with any of this, so my descriptions above may be off...

I have SSH access via a user on the server, but not root access. It doesn't seem like the network admin stored the root password anywhere. If I try to manually renew the SSL just to be safe via certbot renew --dry-run, I get the following:

The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

So, is there any way to know for sure if the existing SSL will eventually auto-renew on its own, or a way to renew without root access?

Thanks in advance.

Michael Hampton avatar
cz flag
It probably already did renew. But your priorities are wrong: You need to recover root access _first_, before anything else.
scferg5 avatar
in flag
If I go to the URL and check the certificate, it still says it expires 7/1/2021. And agreed that root access needs recovered – we're working on that too, without luck so far.
A.B avatar
cl flag
A.B
If nothing is encrypted (eg: using LUKS) the usual method when root password is lost, **with downtime**, is to boot from some rescue iso to be able to replace the root password from /etc/shadow.
Score:3
cn flag

If you want to replace this certificate (if it won't renew itself) without downtime I see only one option - reverse proxy on second server.

All in all you will have to break in. Easiest way is to reboot server, add boot parameters "single init=/bin/bash", use passwd to change password and then reboot again - there might be some additional steps depend on distro - you will find instructions on the internet easily.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.