Home / server / Questions / 1070932
Accepted
Patrick Bucher
Asked: 2021-07-29 10:23:05 +0800 CST

Reload Apache Using ACME User

  • 772

I run a web server on Debian 10 (Buster) and Apache 2.4.38. I created a special user acme that runs scripts for renewing TLS certificates.

$ cat /etc/passwd | grep ^acme
acme:x:1002:1002::/var/acme:/usr/bin/nologin
$ cat /etc/group | grep ^acme
acme:x:1002:

This acme user should be allowed to reload the Apache 2 configuration after the certificates were renewed. So I added this line to my /etc/sudoers using visudo(8):

%acme   ALL=(root) NOPASSWD: /etc/init.d/apache2 reload

Unfortunately, this doesn't work:

$ sudo -u acme /etc/init.d/apache2 reload
[....] Reloading apache2 configuration (via systemctl): apache2.serviceFailed to reload apache2.service: Access denied                                                                                                                  
See system logs and 'systemctl status apache2.service' for details.                                                                                                                                                                     
 failed!

Have I missed something?

sudo apache2 debian-buster

1 Answers

  1. Best Answer

    You need to BE the user acme when you run sudo, not with -u acme.

    acme@host:~ $ sudo /etc/init.d/apache2 reload

    Another possible issue:

    The % in your sudoers file denotes that acme is a group. This is not an issue when your user is in a group called acme, but it is if he is not.

    • 1