From 5171b5aa3137b7dad2ef9bd95e5dbfb551acecd1 Mon Sep 17 00:00:00 2001
From: nic <31355096+nabbi@users.noreply.github.com>
Date: Thu, 9 Jun 2022 20:29:10 -0500
Subject: [PATCH] clarify which commands are root by prefixing sudo

---
 sudo.md | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/sudo.md b/sudo.md
index 7727e6b..b5ec442 100644
--- a/sudo.md
+++ b/sudo.md
@@ -35,13 +35,13 @@ YMMV based on Linux distribution and method of installing acme.sh
 ## create non-root account
 For this example, we use "acme" but you can use whatever you'd like.
 ```
-useradd -d  /etc/acme-sh/ -s /sbin/nologin -c "acme-sh service account" acme
-chown acme:mail /etc/acme-sh/
+sudo useradd -d  /etc/acme-sh/ -s /sbin/nologin -c "acme-sh service account" acme
+sudo chown acme:mail /etc/acme-sh/
 ```
 
 ## define crontab for non-root account
 ```
-su - -s /bin/bash acme
+sudo su - -s /bin/bash acme
 crontab -e
 ```
 
@@ -60,7 +60,10 @@ chown acme:acme /var/www/EXAMPLE.com/htdocs/.well-known/acme-challenge
 ## nginx config
 You probably already have a web daemon configuration file for your application. If you are running a mail server, you need a basic http port 80 server for acme.sh
 
-/etc/nginx/conf.d/example.com.conf 
+```
+sudo $EDITOR /etc/nginx/conf.d/example.com.conf 
+```
+
 ```
 server {
     listen [::]:80;
@@ -85,7 +88,7 @@ acme.sh --debug --issue -d mail.example.com -d foo.example.com -d -d bar.example
 ## visudo
 This grants our non-root service account super user rights to restart services during certificate renewals.
 ```
-visudo
+sudo visudo
 ````
 
 Insert this line, adjust to your deployment use-cases and sudo version
@@ -97,8 +100,8 @@ acme ALL=(ALL:ALL) NOPASSWD: /etc/init.d/postfix restart, /etc/init.d/dovecot re
 Create a new directory which our non-root account can write certificates into.
 
 ```
-mkdir /etc/ssl/acme
-chown acme:acme /etc/ssl/acme
+sudo mkdir /etc/ssl/acme
+sudo chown acme:acme /etc/ssl/acme
 ```
 
 These restart commands should match what you defined in visudo above
@@ -110,5 +113,5 @@ acme.sh --installcert -d mail.example.com --keypath  /etc/ssl/acme/example.com.k
 Your distro might place a global bashrc script. This is not needed.
 
 ```
-rm /etc/bash/bashrc.d/acme.sh
+sudo rm /etc/bash/bashrc.d/acme.sh
 ```