Also it can be highly locked down - run as it's own unprivileged user, with access only to directories served by another webserver for the ACME handshake, storing certs, and a tightly restricted sudoer to restart the webserver on cert cycle.
Also it can be highly locked down - run as it's own unprivileged user, with access only to directories served by another webserver for the ACME handshake, storing certs, and a tightly restricted sudoer to restart the webserver on cert cycle.