unauthorized access too hook server (hook secret did not match)

[gohai]

I recently decided to restart nginx after some configuration changes, using sudo systemctl restart nginx. Afterwards I saw renewal requests failing like so

2018/04/09 20:50:45 [error] 12017#12017: *103 [lua] hook.lua:8: server(): auto-ssl: unauthorized access to hook server (hook secret did not match), client: 127.0.0.1, server: , request: "POST /deploy-challenge HTTP/1.1", host: "127.0.0.1:8999"

(...)
 + Requesting challenge for www.somedomain.com...
 err: curl: (22) The requested URL returned error: 401 Unauthorized

and earlier also

 + Requesting challenge for delabrave.com...
 err: curl: (7) Failed connect to 127.0.0.1:8999; Connection refused

So I am wondering if the previous hook server potentially did not exit when the main resty process did? This is an issue for us, since we're quickly in Error creating new authz :: too many currently pending authorizations territory when this happens.

Any workarounds?

[gohai]

Looking through the source code a bit I suspect that this hick-up might have something to do with the fact that our systemd unit configuration for nginx used the default PrivateTmp=true.

While I don't fully understand the code, it seems that the sockproc code uses /tmp/shell.sock and /tmp/auto-ssl-sockproc.pid, and also expects those to persists across restarts, so I could see how this could have caused an issue with systemd putting those file into a private (per-runtime) directory, and deleting it after a stop.

We changed our configuration to PrivateTmp=false and will monitor if this happens again. Feel free to close the bug in the mean time.

(Not sure if other paths than /tmp were considered for those files, but this could make sense if more people trap into this.)