Nginx + acme (dns-01) tries to bind to port 8000

I’m trying to get SSL for a private domain (accessible only on local network) to work, including trusted certificates. So I’m trying to implement this according to the docs.

My problem is that whenever I set this config, nginx fails because it’s trying to bind to port 8000, which is in use.

I could move that process to another port, but that’s stupid. I don’t see why the dns-01 challenge should need to bind to any port. And I have looked through the generated nginx config and found no reference to port 8000. Do you have any idea why nginx might attempt to bind to this port in this scenario?

This is the error I get

sudo journalctl -xeu nginx:

...
Automatic restarting of the unit nginx.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Nov 30 21:52:51 m-testserver systemd[1]: Starting Nginx Web Server...
░░ Subject: A start job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit nginx.service has begun execution.
░░ 
░░ The job identifier is 244292.
Nov 30 21:52:51 m-testserver nginx-pre-start[766859]: nginx: the configuration file /nix/store/q7nwxck52l16sfbga62hiv9i4ib67h4b-nginx.conf syntax is ok
Nov 30 21:52:51 m-testserver nginx-pre-start[766859]: nginx: configuration file /nix/store/q7nwxck52l16sfbga62hiv9i4ib67h4b-nginx.conf test is successful
Nov 30 21:52:51 m-testserver systemd[1]: Started Nginx Web Server.
░░ Subject: A start job for unit nginx.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit nginx.service has finished successfully.
░░ 
░░ The job identifier is 244292.
Nov 30 21:52:51 m-testserver nginx[766860]: 2024/11/30 21:52:51 [emerg] 766860#766860: bind() to 0.0.0.0:8000 failed (98: Address already in use)
Nov 30 21:52:52 m-testserver nginx[766860]: 2024/11/30 21:52:51 [emerg] 766860#766860: bind() to 0.0.0.0:8000 failed (98: Address already in use)
Nov 30 21:52:52 m-testserver nginx[766860]: 2024/11/30 21:52:51 [emerg] 766860#766860: bind() to 0.0.0.0:8000 failed (98: Address already in use)
Nov 30 21:52:53 m-testserver nginx[766860]: 2024/11/30 21:52:51 [emerg] 766860#766860: bind() to 0.0.0.0:8000 failed (98: Address already in use)
Nov 30 21:52:53 m-testserver nginx[766860]: 2024/11/30 21:52:51 [emerg] 766860#766860: bind() to 0.0.0.0:8000 failed (98: Address already in use)
Nov 30 21:52:54 m-testserver nginx[766860]: 2024/11/30 21:52:51 [emerg] 766860#766860: still could not bind()
Nov 30 21:52:54 m-testserver systemd[1]: nginx.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStart= process belonging to unit nginx.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Nov 30 21:52:54 m-testserver systemd[1]: nginx.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit nginx.service has entered the 'failed' state with result 'exit-code'.

And this is the config it uses

pid /run/nginx/nginx.pid;
error_log stderr;
daemon off;
events {
}
http {
        # Load mime types.
        include /nix/store/8hd0ybpxxv90gbavys5prphzhks4zmm7-mailcap-2.1.53/etc/nginx/mime.types;
        # When recommendedOptimisation is disabled nginx fails to start because the mailmap mime.types database
        # contains 1026 entries and the default is only 1024. Setting to a higher number to remove the need to
        # overwrite it because nginx does not allow duplicated settings.
        types_hash_max_size 4096;
        include /nix/store/8cqd1v25q5f0ilrks75c5zmp3gfl8viy-nginx-1.26.2/conf/fastcgi.conf;
        include /nix/store/8cqd1v25q5f0ilrks75c5zmp3gfl8viy-nginx-1.26.2/conf/uwsgi_params;
        default_type application/octet-stream;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
        proxy_redirect          off;
        proxy_connect_timeout   60s;
        proxy_send_timeout      60s;
        proxy_read_timeout      60s;
        proxy_http_version      1.1;
        # don't let clients close the keep-alive connection to upstream. See the nginx blog for details:
        # https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives
        proxy_set_header        "Connection" "";
        include /nix/store/rn80c699srwcl8lxyvikq0dxb3rk7d9a-nginx-recommended-proxy-headers.conf;
        # $connection_upgrade is used for websocket proxying
        map $http_upgrade $connection_upgrade {
                default upgrade;
                ''      close;
        }
        client_max_body_size 10m;
        server_tokens off;
        server {
                listen 0.0.0.0:80 ;
                listen [::0]:80 ;
                server_name arcus.mydomain.de ;
                location / {
                        return 301 https://$host$request_uri;
                }
        }
        server {
                listen 0.0.0.0:443 ssl ;
                listen [::0]:443 ssl ;
                server_name arcus.mydomain.de ;
                http2 on;
                ssl_certificate /var/lib/acme/arcus.mydomain.de/fullchain.pem;
                ssl_certificate_key /var/lib/acme/arcus.mydomain.de/key.pem;
                ssl_trusted_certificate /var/lib/acme/arcus.mydomain.de/chain.pem;
                root /nix/store/lmb35vji7yib11x6j2dpzi06c3c77hlf-arcus-frontend-0.0.1/;
                location / {
                        index index.html
                        try_files $uri /index.html;
                }
                location = /config.json {
                        default_type application/json;
                        alias /nix/store/csl2844024zddrwz5q016a4z8drmla56-config.json;
                }
        }
        server {
                listen 0.0.0.0:80 ;
                server_name auth.mydomain.de ;
                location / {
                        return 301 https://$host$request_uri;
                }
        }
        server {
                server_name auth.mydomain.de ;
                http2 on;
                ssl_certificate /var/lib/acme/auth.mydomain.de/fullchain.pem;
                ssl_certificate_key /var/lib/acme/auth.mydomain.de/key.pem;
                ssl_trusted_certificate /var/lib/acme/auth.mydomain.de/chain.pem;
                location / {
                        proxy_pass http://localhost:3546;
                        include /nix/store/rn80c699srwcl8lxyvikq0dxb3rk7d9a-nginx-recommended-proxy-headers.conf;
                }
        }
        server {
                listen 0.0.0.0:80 ;
                listen [::0]:80 ;
                server_name localhost ;
                location / {
                        return 301 https://$host$request_uri;
                }
        }
        server {
                listen 0.0.0.0:443 ssl ;
                listen [::0]:443 ssl ;
                server_name localhost ;
                http2 on;
                ssl_certificate /run/agenix/nextcloudSslCertificate;
                ssl_certificate_key /run/agenix/nextcloudSslCertificateKey;
                root /nix/store/3bp5p88kjfbpsrwdf3q7j8zyrbc4mjr2-nextcloud-29.0.7-with-apps;
                location = / {
                        if ( $http_user_agent ~ ^DavClnt ) {
                                return 302 /remote.php/webdav/$is_args$args;
                        }
                }
                location = /robots.txt {
                        allow all;
                        access_log off;
                }
                location ^~ /.well-known {
                        absolute_redirect off;
                        location = /.well-known/carddav {
                                return 301 /remote.php/dav/;
                        }
                        location = /.well-known/caldav {
                                return 301 /remote.php/dav/;
                        }
                        location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
                                return 301 /index.php$request_uri;
                        }
                        try_files $uri $uri/ =404;
                }
                location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
                        return 404;
                }
                location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
                        return 404;
                }
                location ~ \.php(?:$|/) {
                        # legacy support (i.e. static files and directories in cfg.package)
                        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[s]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
                        include /nix/store/8cqd1v25q5f0ilrks75c5zmp3gfl8viy-nginx-1.26.2/conf/fastcgi.conf;
                        fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
                        set $path_info $fastcgi_path_info;
                        try_files $fastcgi_script_name =404;
                        fastcgi_param PATH_INFO $path_info;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_param HTTPS on;
                        fastcgi_param modHeadersAvailable true;
                        fastcgi_param front_controller_active true;
                        fastcgi_pass unix:/run/phpfpm/nextcloud.sock;
                        fastcgi_intercept_errors on;
                        fastcgi_request_buffering off;
                        fastcgi_read_timeout 120s;
                }
                location ~ \.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|tflite|map|html|ttf|bcmap|mp4|webm|ogg|flac)$ {
                        try_files $uri /index.php$request_uri;
                        expires 6M;
                        access_log off;
                        location ~ \.mjs$ {
                                default_type text/javascript;
                        }
                        location ~ \.wasm$ {
                                default_type application/wasm;
                        }
                }
                location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
                        try_files $uri/ =404;
                        index index.php;
                }
                location /remote {
                        return 301 /remote.php$request_uri;
                }
                location / {
                        try_files $uri $uri/ /index.php$request_uri;
                }
                index index.php index.html /index.php$request_uri;
                add_header X-Content-Type-Options nosniff;
                add_header X-XSS-Protection "1; mode=block";
                add_header X-Robots-Tag "noindex, nofollow";
                add_header X-Download-Options noopen;
                add_header X-Permitted-Cross-Domain-Policies none;
                add_header X-Frame-Options sameorigin;
                add_header Referrer-Policy no-referrer;
                add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
                client_max_body_size 512M;
                fastcgi_buffers 64 4K;
                fastcgi_hide_header X-Powered-By;
                gzip on;
                gzip_vary on;
                gzip_comp_level 4;
                gzip_min_length 256;
                gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
                gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
        }
        server {
                listen 0.0.0.0:80 ;
                server_name search.mydomain.de ;
                location / {
                        return 301 https://$host$request_uri;
                }
        }
        server {
                server_name search.mydomain.de ;
                http2 on;
                ssl_certificate /var/lib/acme/search.mydomain.de/fullchain.pem;
                ssl_certificate_key /var/lib/acme/search.mydomain.de/key.pem;
                ssl_trusted_certificate /var/lib/acme/search.mydomain.de/chain.pem;
                location / {
                        proxy_pass http://localhost:7700;
                        if ($request_method = OPTIONS ) {
                                add_header 'Access-Control-Allow-Origin' '*';
                                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
                                add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-Meilisearch-Client';
                                add_header 'Access-Control-Max-Age' 1728000;
                                add_header 'Content-Length' 0;
                                add_header 'Content-Type' 'text/plain charset=UTF-8';
                                return 204;
                        }
                        include /nix/store/rn80c699srwcl8lxyvikq0dxb3rk7d9a-nginx-recommended-proxy-headers.conf;
                }
        }
}

I suspect this config will lead to other issues down the line, like redirecting all traffic to nextcloud, accidentally, but let’s not get into that here and now… :wink: