lua-resty-auto-ssl
lua-resty-auto-ssl copied to clipboard
unauthorized access too hook server (hook secret did not match)
I recently decided to restart nginx
after some configuration changes, using sudo systemctl restart nginx
. Afterwards I saw renewal requests failing like so
2018/04/09 20:50:45 [error] 12017#12017: *103 [lua] hook.lua:8: server(): auto-ssl: unauthorized access to hook server (hook secret did not match), client: 127.0.0.1, server: , request: "POST /deploy-challenge HTTP/1.1", host: "127.0.0.1:8999"
(...)
+ Requesting challenge for www.somedomain.com...
err: curl: (22) The requested URL returned error: 401 Unauthorized
and earlier also
+ Requesting challenge for delabrave.com...
err: curl: (7) Failed connect to 127.0.0.1:8999; Connection refused
So I am wondering if the previous hook server potentially did not exit when the main resty
process did? This is an issue for us, since we're quickly in Error creating new authz :: too many currently pending authorizations
territory when this happens.
Any workarounds?
Looking through the source code a bit I suspect that this hick-up might have something to do with the fact that our systemd unit configuration for nginx used the default PrivateTmp=true
.
While I don't fully understand the code, it seems that the sockproc code uses /tmp/shell.sock
and /tmp/auto-ssl-sockproc.pid
, and also expects those to persists across restarts, so I could see how this could have caused an issue with systemd putting those file into a private (per-runtime) directory, and deleting it after a stop
.
We changed our configuration to PrivateTmp=false
and will monitor if this happens again. Feel free to close the bug in the mean time.
(Not sure if other paths than /tmp
were considered for those files, but this could make sense if more people trap into this.)