diff --git a/README.md b/README.md index 8e86dac..c14ba7c 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,25 @@ than what makes sense to show in a minimal snippet. * [commandline (standalone with "webroot")](https://github.com/Daplie/node-letsencrypt/blob/master/examples/commandline.js) * [expressjs (fully automatic https)](https://github.com/Daplie/node-letsencrypt/blob/master/examples/express.js) +### non-root + +If you want to run this as non-root, you can. + +You just have to set node to be allowed to use root ports + +``` +# node +sudo setcap cap_net_bind_service=+ep /usr/local/bin/node +``` + +and then make sure to set all of of the following to a directory that your user is permitted to write to + +* `webrootPath` +* `configDir` +* `workDir` (python backend only) +* `logsDir` (python backend only) + + See Also ======== diff --git a/index.js b/index.js index e1ad0c5..96c6c8e 100644 --- a/index.js +++ b/index.js @@ -95,6 +95,18 @@ LE.create = function (backend, defaults, handlers) { return; } + // + // IMPORTANT + // + // Before attempting a dynamic registration you need to validate that + // + // * these are hostnames that you expected to exist on the system + // * their A records currently point to this ip + // * this system's ip hasn't changed + // + // If you do not check these things, then someone could attack you + // and cause you, in return, to have your ip be rate-limit blocked + // console.warn("[SECURITY WARNING]: node-letsencrypt: validate(hostnames, cb) NOT IMPLEMENTED"); cb(null, true); }