Mrten
commented
4 years ago I used to run it like this:
acmetool --xlog.severity=debug > dump 2>&1Have always made my config by hand, so no detailed clues.
Open kaikrueger opened 4 years ago
Mrten
commented
4 years ago I used to run it like this:
acmetool --xlog.severity=debug > dump 2>&1Have always made my config by hand, so no detailed clues.
kaikrueger
commented
4 years ago Thanks, now I can figure the cause of the problem:
20200427082524 [DEBUG] acmetool.reshttp: acquire port "[::]:80" "xxxxxxxxx"
20200427082524 [DEBUG] acmetool.reshttp: failed to listen on [::]:80: listen tcp 0.0.0.0:80: bind: address already in use
20200427082524 [DEBUG] acmetool.reshttp: acquire port ":80" "xxxxxxxxxx"
20200427082524 [DEBUG] acmetool.reshttp: failed to listen on :80: listen tcp :80: bind: address already in useIt seems that this version of acmetool must run as root and the webserver must have been stopped first.
So the Rootless setup is not working anymore. Did I miss something or is that wanted?
sbuller
commented
4 years ago I may be off base here, but binding to low ports is restricted. https://unix.stackexchange.com/questions/10735/allowing-a-user-to-let-listen-to-a-port-below-1024
Good luck.
kaikrueger
commented
4 years ago I see, that I should clarify:
Up to now it was possible to run acmetool reconcile as a cronlob without stopping the webserver (apache, nginx,...)
This version of acmetool is starting itself a webserver on port 80 and it seems that you are not even able to tell him to start it on an other port.
maybe I'm wrong, but the only way to reconcile seems to be a script like this:
systemctl stop nginx
/usr/bin/acmetool reconcile
systemctl start nginx
CL-Jeremy
commented
4 years ago I think the strategies have remained the same as before with v0.0.x. It also doesn't make sense to have acmetool listening on other ports (unless you are using DNS-01, for which custom hooks are needed, cf. Wiki).
The symptoms you describe here seems to suggest that you have chosen a different authentication method than intended. I have tested on my own computer (Mac) that selecting WEBROOT works as expected. Try running acmetool quickstart again to specify that. With WEBROOT nothing should be spawned by the tool.
Also, Ubuntu has imported the packaged version at https://launchpad.net/ubuntu/+source/acmetool/0.2.1-2, so systemd units should be working as expected.
hailfinger
commented
4 years ago @CL-Jeremy Of course it makes sense to have acmetool listening on other ports. The documentation even mentions it.
@kaikrueger I had the same problem and fixed it. Rootless operation is still possible, but you need to work around a few pitfalls. /var/run/acme needs to be owned by the user acme, and the builtin self-test will cause funny failures for non-root operation on nonstandard ports. I recommend tracing your nftables rules (if applicable) and checking whether /var/lib/acme/desired/myhostname-someid needs a few more lines similar to
request:
challenge:
http-ports:
- 0.0.0.0:4402
Note that the self-tests do funny stuff like connecting to 127.0.1.1 (not 127.0.0.1), so make sure the self-tests can successfully connect to the builtin acmetool instance of a web server, and also check if you need to specify 0.0.0.0:4402 as http-ports instead of just 4402.
backstube
commented
3 years ago Hi @kaikrueger, thanks for posting this issue. Using acmetool myself for several years, a few weeks/months back it stopped renewing certificates (unnoticed). My acmetool's error and debug log is nearly identical to the one you posted above.
I did the required upgrade to 0.2.1 because of Let's Encrypt APIv2. With that, not a single reconcile run was successful.
Did you manage to run it successfully? I'd be more than happy to hear how!
I have compile the current version of acmetool on an ubuntu18
acmetool quickstartworks fine but when I runacmetool want <domain>I get the following error message:In the tcpdump I can see, that noone is trying to connect to my host on port 80. From an other host I can access to
http://<domain>/.well-known/acme-challenge/xxxxxxxxxxxxxx.Has anybody an idea wants going wrong? Thanks.