certrequest is failing with api-v2 about acmetool HOT 7 OPEN

I used to run it like this:

acmetool  --xlog.severity=debug > dump 2>&1

Have always made my config by hand, so no detailed clues.

from acmetool.

Thanks, now I can figure the cause of the problem:

20200427082524 [DEBUG] acmetool.reshttp: acquire port "[::]:80" "xxxxxxxxx"
20200427082524 [DEBUG] acmetool.reshttp: failed to listen on [::]:80: listen tcp 0.0.0.0:80: bind: address already in use
20200427082524 [DEBUG] acmetool.reshttp: acquire port ":80" "xxxxxxxxxx"
20200427082524 [DEBUG] acmetool.reshttp: failed to listen on :80: listen tcp :80: bind: address already in use

It seems that this version of acmetool must run as root and the webserver must have been stopped first.

So the Rootless setup is not working anymore. Did I miss something or is that wanted?

from acmetool.

I may be off base here, but binding to low ports is restricted.
https://unix.stackexchange.com/questions/10735/allowing-a-user-to-let-listen-to-a-port-below-1024

Good luck.

from acmetool.

I see, that I should clarify:

Up to now it was possible to run acmetool reconcile as a cronlob without stopping the webserver (apache, nginx,...)
This version of acmetool is starting itself a webserver on port 80 and it seems that you are not even able to tell him to start it on an other port.

maybe I'm wrong, but the only way to reconcile seems to be a script like this:

systemctl  stop nginx
/usr/bin/acmetool  reconcile 
systemctl  start nginx

from acmetool.

I think the strategies have remained the same as before with v0.0.x. It also doesn't make sense to have acmetool listening on other ports (unless you are using DNS-01, for which custom hooks are needed, cf. Wiki).

The symptoms you describe here seems to suggest that you have chosen a different authentication method than intended. I have tested on my own computer (Mac) that selecting WEBROOT works as expected. Try running acmetool quickstart again to specify that. With WEBROOT nothing should be spawned by the tool.

Also, Ubuntu has imported the packaged version at https://launchpad.net/ubuntu/+source/acmetool/0.2.1-2, so systemd units should be working as expected.

from acmetool.

@CL-Jeremy Of course it makes sense to have acmetool listening on other ports. The documentation even mentions it.

@kaikrueger I had the same problem and fixed it.
Rootless operation is still possible, but you need to work around a few pitfalls. /var/run/acme needs to be owned by the user acme, and the builtin self-test will cause funny failures for non-root operation on nonstandard ports. I recommend tracing your nftables rules (if applicable) and checking whether /var/lib/acme/desired/myhostname-someid needs a few more lines similar to

request:
  challenge:
    http-ports:
      - 0.0.0.0:4402

Note that the self-tests do funny stuff like connecting to 127.0.1.1 (not 127.0.0.1), so make sure the self-tests can successfully connect to the builtin acmetool instance of a web server, and also check if you need to specify 0.0.0.0:4402 as http-ports instead of just 4402.

from acmetool.

Hi @kaikrueger, thanks for posting this issue. Using acmetool myself for several years, a few weeks/months back it stopped renewing certificates (unnoticed). My acmetool's error and debug log is nearly identical to the one you posted above.

I did the required upgrade to 0.2.1 because of Let's Encrypt APIv2. With that, not a single reconcile run was successful.

Did you manage to run it successfully? I'd be more than happy to hear how!

from acmetool.