You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently decided to restart nginx after some configuration changes, using sudo systemctl restart nginx. Afterwards I saw renewal requests failing like so
2018/04/09 20:50:45 [error] 12017#12017: *103 [lua] hook.lua:8: server(): auto-ssl: unauthorized access to hook server (hook secret did not match), client: 127.0.0.1, server: , request: "POST /deploy-challenge HTTP/1.1", host: "127.0.0.1:8999"
(...)
+ Requesting challenge for www.somedomain.com...
err: curl: (22) The requested URL returned error: 401 Unauthorized
and earlier also
+ Requesting challenge for delabrave.com...
err: curl: (7) Failed connect to 127.0.0.1:8999; Connection refused
So I am wondering if the previous hook server potentially did not exit when the main resty process did? This is an issue for us, since we're quickly in Error creating new authz :: too many currently pending authorizations territory when this happens.
Any workarounds?
The text was updated successfully, but these errors were encountered:
Looking through the source code a bit I suspect that this hick-up might have something to do with the fact that our systemd unit configuration for nginx used the default PrivateTmp=true.
While I don't fully understand the code, it seems that the sockproc code uses /tmp/shell.sock and /tmp/auto-ssl-sockproc.pid, and also expects those to persists across restarts, so I could see how this could have caused an issue with systemd putting those file into a private (per-runtime) directory, and deleting it after a stop.
We changed our configuration to PrivateTmp=false and will monitor if this happens again. Feel free to close the bug in the mean time.
(Not sure if other paths than /tmp were considered for those files, but this could make sense if more people trap into this.)
I recently decided to restart
nginx
after some configuration changes, usingsudo systemctl restart nginx
. Afterwards I saw renewal requests failing like soand earlier also
So I am wondering if the previous hook server potentially did not exit when the main
resty
process did? This is an issue for us, since we're quickly inError creating new authz :: too many currently pending authorizations
territory when this happens.Any workarounds?
The text was updated successfully, but these errors were encountered: