Reload Apache Using ACME User

Question

I run a web server on Debian 10 (Buster) and Apache 2.4.38. I created a special user acme that runs scripts for renewing TLS certificates.

$ cat /etc/passwd | grep ^acme
acme:x:1002:1002::/var/acme:/usr/bin/nologin
$ cat /etc/group | grep ^acme
acme:x:1002:

This acme user should be allowed to reload the Apache 2 configuration after the certificates were renewed. So I added this line to my /etc/sudoers using visudo(8):

%acme   ALL=(root) NOPASSWD: /etc/init.d/apache2 reload

Unfortunately, this doesn't work:

$ sudo -u acme /etc/init.d/apache2 reload
[....] Reloading apache2 configuration (via systemctl): apache2.serviceFailed to reload apache2.service: Access denied                                                                                                                  
See system logs and 'systemctl status apache2.service' for details.                                                                                                                                                                     
 failed!

Have I missed something?

Gerald Schneider · Accepted Answer · 2021-07-28T18:56:46.350

1

You need to BE the user acme when you run sudo, not with -u acme.

acme@host:~ $ sudo /etc/init.d/apache2 reload

Another possible issue:

The % in your sudoers file denotes that acme is a group. This is not an issue when your user is in a group called acme, but it is if he is not.

edited Jul 28 '21 at 18:56

answered Jul 28 '21 at 18:49

Gerald Schneider

23,274
8
57
89

OK, I got it, since the whole process will be started as `acme`, I can use `sudo` instead of `sudo -u acme` in my script. That works! – Patrick Bucher Jul 28 '21 at 19:43

Reload Apache Using ACME User

1 Answers1