Skip to content

caddytls: Do not pass fd/ descriptors to ACME listener (fixes #7525)#7682

Open
m0canu1 wants to merge 1 commit intocaddyserver:masterfrom
m0canu1:master
Open

caddytls: Do not pass fd/ descriptors to ACME listener (fixes #7525)#7682
m0canu1 wants to merge 1 commit intocaddyserver:masterfrom
m0canu1:master

Conversation

@m0canu1
Copy link
Copy Markdown

@m0canu1 m0canu1 commented May 2, 2026

This PR fixes a bug where configuring a systemd file descriptor in bind or default_bind causes the ACME challenge solver to crash with a no such host error.

Fixes #7525

Currently, if a user configures bind fd/3, Caddy passes "fd/3" directly to CertMagic via iss.Challenges.BindHost. It attempts a DNS lookup on the literal string "fd/3". This fails immediately, preventing ACME certificates from being issued or renewed.

This PR intercepts the BindHost before it is passed to CertMagic. If it detects a file descriptor, it leaves the CertMagic ListenHost template blank.

This safely forces CertMagic to fall back to its default behavior (binding to standard ports :80 or :443), bypassing the DNS lookup crash while still allowing the main Caddy server to intercept the challenge traffic via the file descriptor.

I compiled a custom build and ran it locally using systemd-socket-activate to simulate the environment:

Test Caddyfile:

{
    servers {
        protocols h1 h2
    }
}
fake-domain-for-testing.com {
    bind fd/3
    tls {
        ca [https://acme-staging-v02.api.letsencrypt.org/directory](https://acme-staging-v02.api.letsencrypt.org/directory)
    }
    respond "Hello World"
}

Assistance Disclosure

I consulted Gemini to help analyze the root cause of the socket activation bug and generate the code for this fix. I have reviewed the code and verified it is correct.

@francislavoie
Copy link
Copy Markdown
Member

francislavoie commented May 2, 2026

I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD.

@m0canu1
Copy link
Copy Markdown
Author

m0canu1 commented May 2, 2026
edited
Loading

I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD.

Yeah, it totally makes sense but if you want to use this kind of challenge (HTTP-01 or TLS-ALPN-01) on Let's Encrypt, they don't let you choose an arbitrary port.

Correct me if I'm wrong

@passcod
Copy link
Copy Markdown

passcod commented May 2, 2026

they don't let you choose an arbitrary port.

Sure, but the point is to not have caddy bind the ports. Ideally, it lets caddy run without port-binding capabilities.

@gucci-on-fleek
Copy link
Copy Markdown

gucci-on-fleek commented May 3, 2026

I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD.

I've opened a PR doing this in caddyserver/certmagic#380.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Caddy 2.11.1: socket activation problems with ACME

4 participants

@m0canu1 @francislavoie @passcod @gucci-on-fleek