Problem with security.acme and listenHTTP option

I’m using nixos-unstable, and I’m trying to get a certificate on a machine that no http server has installed. So, I found the listenHTTP option.

  security.acme.certs."{OMITTED}" = {
    listenHTTP = "0.0.0.0:80";
  };

However, it doesn’t work and tells me this

acme: error presenting token: could not start HTTP server for challenge: listen tcp 0.0.0.0:80:bind: permission denied

I have already checked the service file, though it contains REALLY A LOT of privilage limitations, but it already has AmbientCapabilities=CAP_NET_BIND_SERVICE added.

Can anybody help me out?

ok, i did a bit of digging.

https://sourcegraph.com/github.com/NixOS/nixpkgs/-/blob/nixos/modules/security/acme.nix

the latest seems to set CapabilityBoundingSet = “”;

introduced by this commit

might be the problem, i can’t test it right now, but hopefully give you some clues.

Yes, it worked!

Well, I’m new to NixOS, but can I create issue on GitHub directly?

Great, you can either raise and issue, or even better raise a pull request for the change (you can mark it Work in Progress if you not confident it’s the actual fix (security is hard) ). Perhaps tag in the maintainers of acme and [mweinelt] and see if they can help too.

Welcome to Nixos, I think this is a great example of when things go wrong , it’s possible to do root cause analysis down the granularity of a single commit.

no other operating system on earth allows this :-).

Happy niXmas

Use case covered in the following PR, which hit master two weeks ago.

https://github.com/NixOS/nixpkgs/pull/125256

But it still requires a fix from

https://github.com/NixOS/nixpkgs/pull/147784

Thanks for providing the links.
Wow what a busy repo! I guess I’ll just wait for the pr being merged