clarify which commands are root by prefixing sudo

sudo.md

@@ -35,13 +35,13 @@ YMMV based on Linux distribution and method of installing acme.sh
 ## create non-root account
 For this example, we use "acme" but you can use whatever you'd like.
 ```
-useradd -d  /etc/acme-sh/ -s /sbin/nologin -c "acme-sh service account" acme
-chown acme:mail /etc/acme-sh/
+sudo useradd -d  /etc/acme-sh/ -s /sbin/nologin -c "acme-sh service account" acme
+sudo chown acme:mail /etc/acme-sh/
 ```
 
 ## define crontab for non-root account
 ```
-su - -s /bin/bash acme
+sudo su - -s /bin/bash acme
 crontab -e
 ```
 
@@ -60,7 +60,10 @@ chown acme:acme /var/www/EXAMPLE.com/htdocs/.well-known/acme-challenge
 ## nginx config
 You probably already have a web daemon configuration file for your application. If you are running a mail server, you need a basic http port 80 server for acme.sh
 
-/etc/nginx/conf.d/example.com.conf 
+```
+sudo $EDITOR /etc/nginx/conf.d/example.com.conf 
+```
+
 ```
 server {
     listen [::]:80;
@@ -85,7 +88,7 @@ acme.sh --debug --issue -d mail.example.com -d foo.example.com -d -d bar.example
 ## visudo
 This grants our non-root service account super user rights to restart services during certificate renewals.
 ```
-visudo
+sudo visudo
 ````
 
 Insert this line, adjust to your deployment use-cases and sudo version
@@ -97,8 +100,8 @@ acme ALL=(ALL:ALL) NOPASSWD: /etc/init.d/postfix restart, /etc/init.d/dovecot re
 Create a new directory which our non-root account can write certificates into.
 
 ```
-mkdir /etc/ssl/acme
-chown acme:acme /etc/ssl/acme
+sudo mkdir /etc/ssl/acme
+sudo chown acme:acme /etc/ssl/acme
 ```
 
 These restart commands should match what you defined in visudo above
@@ -110,5 +113,5 @@ acme.sh --installcert -d mail.example.com --keypath  /etc/ssl/acme/example.com.k
 Your distro might place a global bashrc script. This is not needed.
 
 ```
-rm /etc/bash/bashrc.d/acme.sh
+sudo rm /etc/bash/bashrc.d/acme.sh
 ```