> The official way to renew Let's Encrypt certificates is automatically, with a tool called certbot. It downloads a bunch of untrusted data from the web, and then feeds that data into your web server, all as root.
Why would you run certbot as root? You don't do that with any other server.
It used to be the case that you had to run certbot as root or it just wouldn't work. At least not officially, you could get it work without root but it wasn't supported.
The official docs still recommend doing so:
>Certbot is most useful when run with root privileges, because it is then able to automatically configure TLS/SSL for Apache and nginx.
I think I've never ran it as root since it came out by using the `webroot` method, where certbot just writes the challenges to a specified path it has access to and that's it.
Why would you run certbot as root? You don't do that with any other server.