You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
journalctl -u acme-<domain>.service yields a result like the following:
Sep 18 12:10:52 taube acme-<domain>-start[58403]: + set -euo pipefail
Sep 18 12:10:52 taube acme-<domain>-start[58403]: + echo <domainhash>
Sep 18 12:10:52 taube acme-<domain>-start[58403]: + cmp -s domainhash.txt certificates/domainhash.txt
Sep 18 12:10:52 taube acme-<domain>-start[58403]: + lego --accept-tos --path . -d <domain> --email <email> --key-type ec256 --http --http.port :80 run
Sep 18 12:10:53 taube acme-<domain>-start[58419]: 2022/09/18 12:10:53 [INFO] [<domain>] acme: Obtaining bundled SAN certificate
Sep 18 12:10:54 taube acme-<domain>-start[58419]: 2022/09/18 12:10:54 [INFO] [<domain>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<...>
Sep 18 12:10:54 taube acme-<domain>-start[58419]: 2022/09/18 12:10:54 [INFO] [<domain>] acme: Could not find solver for: tls-alpn-01
Sep 18 12:10:54 taube acme-<domain>-start[58419]: 2022/09/18 12:10:54 [INFO] [<domain>] acme: use http-01 solver
Sep 18 12:10:54 taube acme-<domain>-start[58419]: 2022/09/18 12:10:54 [INFO] [<domain>] acme: Trying to solve HTTP-01
Sep 18 12:10:54 taube acme-<domain>-start[58419]: 2022/09/18 12:10:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<...>
Sep 18 12:10:54 taube acme-<domain>-start[58419]: 2022/09/18 12:10:54 Could not obtain certificates:
Sep 18 12:10:54 taube acme-<domain>-start[58419]: error: one or more domains had a problem:
Sep 18 12:10:54 taube acme-<domain>-start[58419]: [<domain>] [<domain>] acme: error presenting token: could not start HTTP server for challenge: listen tcp :80: bind: permission denied
Sep 18 12:10:54 taube acme-<domain>-start[58403]: + echo Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Sep 18 12:10:54 taube acme-<domain>-start[58403]: Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Sep 18 12:10:54 taube acme-<domain>-start[58403]: + exit 10
Expected behavior
lego binds to port 80, serves challenge successfully and downloads certificates.
conditionally adds CAP_NET_BIND_SERVICE to CapabilityBoundingSet. The generated service file at /etc/systemd/system/acme-<domain>.service contains the line CapabilityBoundingSet=CAP_NET_BIND_SERVICE.
The port is reachable from the outside, as confirmed using nc/nc -l.
Nothing else is bound to the port, as confirmed using netstat -tulpn.
When using port 50080 instead of 80, everything works as expected and without errors.
Hi, and thanks for the bug report. I wrote a test and was able to reproduce this :) It seems both CapabilityBoundingSet and AmbientCapabilities must be set for this to work. The systemd docs hint as to why, stating it is useful if you want to execute a process as a non-privileged user but still want to give it some capabilities. I think CapabilityBoundingSet simply limits what capabilities can be used, if allowed, not what ones are explicitly granted.
I'll hopefully have a PR for this and other things tonight.
m1cr0man
added a commit
to m1cr0man/nixpkgs
that referenced
this issue
Sep 19, 2022
FixesNixOS#191794
Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
Fixes#191794
Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
Describe the bug
When using the
security.acme
module to obtain a certificate usinglistenHTTP = ":80";
, lego fails to bind to the port because permission is denied.Steps To Reproduce
nixos-rebuild switch
journalctl -u acme-<domain>.service
yields a result like the following:Expected behavior
lego
binds to port 80, serves challenge successfully and downloads certificates.Additional context
nixpkgs/nixos/modules/security/acme/default.nix
Line 327 in 494fcbb
CAP_NET_BIND_SERVICE
toCapabilityBoundingSet
. The generated service file at/etc/systemd/system/acme-<domain>.service
contains the lineCapabilityBoundingSet=CAP_NET_BIND_SERVICE
.The port is reachable from the outside, as confirmed using
nc
/nc -l
.Nothing else is bound to the port, as confirmed using
netstat -tulpn
.When using port 50080 instead of 80, everything works as expected and without errors.
Notify maintainers
@aanderse @andrew-d @arianvp @emilazy @flokli @m1cr0man
Metadata
"x86_64-linux"
Linux 5.15.67, NixOS, 22.05 (Quokka), 22.05.3065.178fea1414a
yes
yes
nix-env (Nix) 2.8.1
"nixos-22.05"
/nix/var/nix/profiles/per-user/root/channels/nixos
The text was updated successfully, but these errors were encountered: