xenoid's questions

I have a server out there that supports HTTPS using a certbot/letsencrypt certificate.

I am doing a general software upgrade so to minimize risks and downtime, I'm installing new releases on a new server on which I import the live server data for tests. When everything works I'll have the DNS record changed to point to the new server.

My question is what should I do for the certificate? Can I just copy over the existing one and let it get renewed when necessary? Or will the certificate be incompatible and/or LE will complain that the address has changed during the auto-renewal process? Will LE be sensitive to reverse DNS (it may take some more delay for the reverse DNS to work). Is there any other problem I didn't think about?

I'm trying to set up user-level services, using this answer to a similar question. I have create the required files and rebooted.

I'm making progress because I now get "Failed to get D-bus connection: permission denied" when it was "Failed to get D-bus connection: connection refused", but I'm stumped because I don't know what object it is trying to access (file? socket?) and so cannot even check current permissions. Any ideas?

So far I have added:

loginctl enable-linger userservice

/usr/lib/systemd/user/dbus.service (-rw-r--r-- root root)

[Unit]
Description=D-Bus User Message Bus
Requires=dbus.socket

[Service]
ExecStart=/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation
ExecReload=/usr/bin/dbus-send --print-reply --session --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig

[Install]
Also=dbus.socket

/usr/lib/systemd/user/dbus.socket (-rw-r--r-- root root)

[Unit]
Description=D-Bus User Message Bus Socket

[Socket]
ListenStream=%t/bus
ExecStartPost=-/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=%t/bus

[Install]
WantedBy=sockets.target
Also=dbus.service

/home/userservice/.config/systemd/user/userservice.service

[Unit]
Description=Test user-level service

[Service]
Type=dbus
BusName=com.wtf.service
ExecStart=/home/userservice/userservice.py
Restart=on-failure

[Install]
WantedBy=default.target

Not added any links elsewhere...

To make it fail:

systemctl --user status

Edit 2018-10-25:

Added export XDG_RUNTIME_DIR=/run/user/$(id -u) to .bashrc. The variable is set and now I get: Failed to get D-us connection: no such file or directory. Strangely, neither man systemctl nor systemctl --help mention the --user option, while both mention --system and specify that this is the default (so what are the other options).

Using RHEL 7.4 (with systemd 219 as reported by systemctl --version) with SELinux.

I ma trying to make a Docker container image with an Apache server that handles TLS mutual authentication. Since this is a container Apache can be made to listen some high-numbered port instead of 443, so this should remove the need for root execution.

However, as soon as I try to enable TLS, I get this:

[Thu Oct 11 09:50:50.357758 2018] [auth_digest:notice] [pid 22] AH01757: generating secret for digest authentication ...
[Thu Oct 11 09:50:50.357818 2018] [auth_digest:error] [pid 22] (13)Permission denied: AH01762: Failed to create shared memory segment on file /run/httpd/authdigest_shm.22
[Thu Oct 11 09:50:50.357825 2018] [auth_digest:error] [pid 22] (13)Permission denied: AH01760: failed to initialize shm - all nonce-count checking, one-time nonces, and MD5-sess algorithm disabled

Are root privileges required to create the shared memory or can the access rights be amended to allow non-root usage?