From f7d35db2e6f8b86e1bed92f0aabc16e50e4cf5af Mon Sep 17 00:00:00 2001
From: Kevin O'Connor <kevin@kevo.io>
Date: Thu, 22 Jun 2023 02:56:34 -0400
Subject: [PATCH] Ensure credential files are owned by kvmd-certbot (#1036)

The current instructions will lead to the file being owned by root with
rw permissions only granted to the owner. However, the kvmd-certbot
script around certbot will invoke certbot as the user kvmd-certbot.
Therefore the credential files must be owned by kvmd-certbot.
---
 docs/letsencrypt.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/letsencrypt.md b/docs/letsencrypt.md
index aecf0fd0..c4a1e0d9 100644
--- a/docs/letsencrypt.md
+++ b/docs/letsencrypt.md
@@ -69,6 +69,7 @@ This example shows that PiKVM may not be accessible from the internet, but you c
       # kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot
       # kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.cloudflare.auth
       # kvmd-pstrun -- chmod 600 /var/lib/kvmd/pst/data/certbot/runroot/.cloudflare.auth
+      # kvmd-pstrun -- chown kvmd-certbot: /var/lib/kvmd/pst/data/certbot/runroot/.cloudflare.auth
       ```
 
 3. Obtain the certificate:
@@ -154,6 +155,7 @@ This example shows that PiKVM may not be accessible from the internet, but you c
 
       ```
       # kvmd-pstrun -- chmod 600 /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth
+      # kvmd-pstrun -- chown kvmd-certbot: /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth
       ```
 
 4. Obtain the certificate: