I want to use golang's built in ListenAndServeTLS() function to serve up my webserver (it's a very simple one), and I need to show it where my keys are stored. The keys are stored in a location only the root user can access (Let's Encrypt did this by default) and I can't listen to port 80 or 443 unless I'm the root user.
Does this mean I have to be running the script as root all the time? Is that not insecure?
To blatantly quote the well-written Caddy FAQ:
No. On Linux, you can use setcap to give Caddy permission to bind to low ports. Something like
setcap cap_net_bind_service=+ep ./caddyshould work. Consult the man pages of your OS to be certain. You could also use iptables to forward to higher ports.Privilege de-escalation is another option, but it is not yet a reliable solution. It will be implemented as soon as this becomes a robust possibility. Concerned readers are encouraged to get involved to help this become a reality.
To add to @ma_il's answer, you can use setcap but you still would have to change the permissions of the cert.
Or build your app then run it as root, example: go build && sudo ./app