Port check in standalone mode

[Vorticity-Flux]

I have a multi-homed server with separate public and private network interfaces. Web server on port 80 is running on private network, port 80 is available on public network.
I try to issue new certificate with acme.sh --issue --standalone --local-address <public_IP> -d x.y.z but it fails with

[Sun Jul 25 21:25:12 UTC 2021] Standalone mode.
[Sun Jul 25 21:25:12 UTC 2021] _checkport='80'
[Sun Jul 25 21:25:12 UTC 2021] _checkaddr='<public_IP>'
[Sun Jul 25 21:25:12 UTC 2021] Using: ss
[Sun Jul 25 21:25:12 UTC 2021] LISTEN0      128                         <private_IP>:80           0.0.0.0:*     users:(("nginx",pid=19107,fd=6),("nginx",pid=19105,fd=6),("nginx",pid=19104,fd=6),("nginx",pid=19103,fd=6),("nginx",pid=19101,fd=6))
[Sun Jul 25 21:25:12 UTC 2021] tcp port 80 is already used by (("nginx",pid=19107,fd=6),("nginx",pid=19105,fd=6),("nginx",pid=19104,fd=6),("nginx",pid=19103,fd=6),("nginx",pid=19101,fd=6))
[Sun Jul 25 21:25:12 UTC 2021] Please stop it first
[Sun Jul 25 21:25:12 UTC 2021] _on_before_issue.

Commenting check for LOCAL_ANY_ADDRESS in _on_before_issue allows process to continue and certificate is issued successfully.

acme.sh/acme.sh

Line 3443 in a199fc6

if [ -z "$netprc" ]; then

[montaniasystemab]

I can confirm this issue, the check for open ports does not consider the option Le_LocalAddress and denies renewal if the port is open on any IP address

[Neilpang]

This is intended.

If a process(nginx) is listening on any address "0.0.0.0:80", another process should not try to listen at any one local ipaddress "x,y,z,w".

The second listener will have unexpected behavior, it's not guaranteed that the second listener can always get socket messages.

[montaniasystemab]

I'm not sure that you are describing the issue that we're having. We have a process listening on a specific IP address and would like for acme.sh to listen on another IP address.

We do not have a process listening on 0.0.0.0:80 but rather 10.0.0.1:80 and would like acme.sh use 10.0.0.2:80

[Neilpang]

@montaniasystemab Your issue is not the one that @Vorticity-Flux discribed.

[Neilpang]

We do not have a process listening on 0.0.0.0:80 but rather 10.0.0.1:80 and would like acme.sh use 10.0.0.2:80

This is supported, I'm sure.

[Vorticity-Flux]

We do not have a process listening on 0.0.0.0:80 but rather 10.0.0.1:80 and would like acme.sh use 10.0.0.2:80

Exactly this. My web server process is listening on <private_ip>:80. No process is listening on 0.0.0.0:80 or <public_ip>:80.
Sorry if my initial description was not clear.

The problem is in the line:

acme.sh/acme.sh

Line 3444 in a199fc6

netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"

It uses grep to check for presence of 0.0.0.0, however this address is present in every line of ss -ntpl output in the Peer Address column.

# ss -ntpl 
State       Recv-Q       Send-Q                                Local Address:Port               Peer Address:Port                                                                                                                               
LISTEN      0            128                                    <private_IP>:80                      0.0.0.0:*           users:(("nginx",pid=19101,fd=6),("nginx",pid=4231,fd=6),("nginx",pid=4230,fd=6),("nginx",pid=4229,fd=6),("nginx",pid=4228,fd=6))

[Neilpang]

please try again with latest dev branch.

acme.sh  --upgrade -b dev