I’m using nixos-unstable, and I’m trying to get a certificate on a machine that no http server has installed. So, I found the listenHTTP option.
security.acme.certs."{OMITTED}" = {
listenHTTP = "0.0.0.0:80";
};
However, it doesn’t work and tells me this
acme: error presenting token: could not start HTTP server for challenge: listen tcp 0.0.0.0:80:bind: permission denied
I have already checked the service file, though it contains REALLY A LOT of privilage limitations, but it already has AmbientCapabilities=CAP_NET_BIND_SERVICE added.
Can anybody help me out?
HigherSY:
listenHTTP
ok, i did a bit of digging.
the latest seems to set CapabilityBoundingSet = “”;
introduced by this commit
committed 04:27PM - 16 May 21 UTC
might be the problem, i can’t test it right now, but hopefully give you some clues.
Yes, it worked!
Well, I’m new to NixOS, but can I create issue on GitHub directly?
Great, you can either raise and issue, or even better raise a pull request for the change (you can mark it Work in Progress if you not confident it’s the actual fix (security is hard) ). Perhaps tag in the maintainers of acme and [mweinelt] and see if they can help too.
Welcome to Nixos, I think this is a great example of when things go wrong , it’s possible to do root cause analysis down the granularity of a single commit.
no other operating system on earth allows this :-).
Happy niXmas
hexa
December 26, 2021, 10:38am
5
Use case covered in the following PR, which hit master two weeks ago.
NixOS:master ← deviant:acme-standalone
opened 04:52PM - 01 Jun 21 UTC
###### Motivation for this change
Currently, we hardcode the use of `--http.w… ebroot`, even if no webroot is
configured. This has the effect of disabling the built-in server.
###### Things done
- [x] Tested using sandboxing ([nix.useSandbox](https://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](https://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
- Built on platform(s)
- [x] NixOS
- [ ] macOS
- [ ] other Linux distributions
- [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review wip"`
- [ ] Tested execution of all binary files (usually in `./result/bin/`)
- [ ] Added a release notes entry if the change is major or breaking
- [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
But it still requires a fix from
NixOS:master ← m1cr0man:acme
opened 11:16PM - 28 Nov 21 UTC
###### Motivation for this change
Closes #147348, #138478, #129838, #108237, … #140906, #101389, #140709, #101389
###### Things done
- Add `security.acme.defaults` and `security.acme.certs.<name>.inheritDefaults` options for easy setting of configuration across multiple certs. Additionally the following options have been moved into defaults: server, email, validMinDays and renewInterval.
- Add `security.acme.useRoot` to allow having cert files owned by root. This is a dirtier solution than using `LoadCredential` but the majority of people probably will use this regardless. It at least gives users the choice when it comes to the (quite niche) security concerns it raises. See #140709
- Always try a `lego renew` even if within validMinDays to check for revocation by CA. Errors are ignored if within validMinDays to respect #85794
- Always perform a `lego run` if the domainHash is changed, to resolve #140709 and work around go-acme/lego#1532 (which I plan to try and fix myself upstream).
- Modify `services.nginx.virtualHosts.<name>.acmeRoot` to accept null and subsequently support inheriting the webroot value from the new `security.acme.defaults`. The intention here is using `enableACME` with DNS-01 validation.
- Refactor of the test suite to reduce the number of configuration switches, remove old race condition workarounds and standardise test suite between Nginx and HTTPd whilst making it easier to add new web server tests in the future. It also covers the above `enableACME`+DNS-01 use case too. Total run time is 192 seconds on my system.
- Add `StartLimitIntervalSec=0` to avoid unwanted rate limiting (despite the `ConditionPathExists`) of the selfsigned cert management services.
- Updated the documentation on configuring DNS validation to use a service to generate the tsig key rather than some manual steps. This resolves #101389
- Built on platform(s)
- [X] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html))
- [X] Tested, as applicable:
- [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests)
- or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
- [x] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [x] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [21.11 Release Notes (or backporting 21.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2111-release-notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [x] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
- [x] (Release notes changes) Ran `nixos/doc/manual/md-to-db.sh` to update generated release notes
- [X] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
Thanks for providing the links.
