caddytls: Do not pass fd/ descriptors to ACME listener (fixes #7525)#7682
Open
m0canu1 wants to merge 1 commit intocaddyserver:masterfrom
Open
caddytls: Do not pass fd/ descriptors to ACME listener (fixes #7525)#7682m0canu1 wants to merge 1 commit intocaddyserver:masterfrom
m0canu1 wants to merge 1 commit intocaddyserver:masterfrom
Conversation
Member
|
I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD. |
Author
Yeah, it totally makes sense but if you want to use this kind of challenge (HTTP-01 or TLS-ALPN-01) on Let's Encrypt, they don't let you choose an arbitrary port. Correct me if I'm wrong |
Sure, but the point is to not have caddy bind the ports. Ideally, it lets caddy run without port-binding capabilities. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes a bug where configuring a systemd file descriptor in
bindordefault_bindcauses the ACME challenge solver to crash with ano such hosterror.Fixes #7525
Currently, if a user configures
bind fd/3, Caddy passes"fd/3"directly to CertMagic viaiss.Challenges.BindHost. It attempts a DNS lookup on the literal string"fd/3". This fails immediately, preventing ACME certificates from being issued or renewed.This PR intercepts the
BindHostbefore it is passed to CertMagic. If it detects a file descriptor, it leaves the CertMagicListenHosttemplate blank.This safely forces CertMagic to fall back to its default behavior (binding to standard ports
:80or:443), bypassing the DNS lookup crash while still allowing the main Caddy server to intercept the challenge traffic via the file descriptor.I compiled a custom build and ran it locally using
systemd-socket-activateto simulate the environment:Test Caddyfile:
{ servers { protocols h1 h2 } } fake-domain-for-testing.com { bind fd/3 tls { ca [https://acme-staging-v02.api.letsencrypt.org/directory](https://acme-staging-v02.api.letsencrypt.org/directory) } respond "Hello World" }Assistance Disclosure
I consulted Gemini to help analyze the root cause of the socket activation bug and generate the code for this fix. I have reviewed the code and verified it is correct.