Caddy service permission denied (cannot read a file)

itsmu1x · January 20, 2024, 3:42am

1. The problem I’m having:

Hey, i’m facing a weird issue here.
so i made an http->https redirect and https ssl cert.
the config below

there’s nothing wrong with this config, and i run sudo caddy run --config /etc/caddy/Caddyfile
and the domain https://test/ works perfectly.
but when i try to use the service to let caddy keep alive, or using a script to run caddy with a shortcut it’s not working and i’m pretty sure the issue is that caddy not running with sudo
it gives an error displayed in the error section, and that’s the journalctl -u caddy --no-pager when i try to run the caddy service.

2. Error messages and/or full log output:

Jan 20 05:25:37 ayanokoji systemd[1]: Starting Caddy...
Jan 20 05:25:37 ayanokoji caddy[10933]: caddy.HomeDir=/var/lib/caddy
Jan 20 05:25:37 ayanokoji caddy[10933]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jan 20 05:25:37 ayanokoji caddy[10933]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jan 20 05:25:37 ayanokoji caddy[10933]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jan 20 05:25:37 ayanokoji caddy[10933]: caddy.Version=v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Jan 20 05:25:37 ayanokoji caddy[10933]: runtime.GOOS=linux
Jan 20 05:25:37 ayanokoji caddy[10933]: runtime.GOARCH=amd64
Jan 20 05:25:37 ayanokoji caddy[10933]: runtime.Compiler=gc
Jan 20 05:25:37 ayanokoji caddy[10933]: runtime.NumCPU=6
Jan 20 05:25:37 ayanokoji caddy[10933]: runtime.GOMAXPROCS=6
Jan 20 05:25:37 ayanokoji caddy[10933]: runtime.Version=go1.21.5
Jan 20 05:25:37 ayanokoji caddy[10933]: os.Getwd=/
Jan 20 05:25:37 ayanokoji caddy[10933]: LANG=en_IL
Jan 20 05:25:37 ayanokoji caddy[10933]: LANGUAGE=en_IL:en
Jan 20 05:25:37 ayanokoji caddy[10933]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Jan 20 05:25:37 ayanokoji caddy[10933]: NOTIFY_SOCKET=/run/systemd/notify
Jan 20 05:25:37 ayanokoji caddy[10933]: HOME=/var/lib/caddy
Jan 20 05:25:37 ayanokoji caddy[10933]: LOGNAME=caddy
Jan 20 05:25:37 ayanokoji caddy[10933]: USER=caddy
Jan 20 05:25:37 ayanokoji caddy[10933]: INVOCATION_ID=6273bea1e6f84228a855b81feb910d86
Jan 20 05:25:37 ayanokoji caddy[10933]: JOURNAL_STREAM=8:78185
Jan 20 05:25:37 ayanokoji caddy[10933]: SYSTEMD_EXEC_PID=10933
Jan 20 05:25:37 ayanokoji caddy[10933]: GOTRACEBACK=none
Jan 20 05:25:37 ayanokoji caddy[10933]: {"level":"info","ts":1705721137.424137,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jan 20 05:25:37 ayanokoji caddy[10933]: {"level":"info","ts":1705721137.4265542,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
Jan 20 05:25:37 ayanokoji caddy[10933]: {"level":"info","ts":1705721137.4266915,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004dbf00"}
Jan 20 05:25:37 ayanokoji caddy[10933]: {"level":"info","ts":1705721137.426701,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0004dbf00"}
Jan 20 05:25:37 ayanokoji caddy[10933]: Error: loading initial config: loading new config: loading tls app module: provision tls: loading certificates: open /home/mu1x/repositories/mu1x/ssl/mu1x/mu1x.crt: permission denied
Jan 20 05:25:37 ayanokoji systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jan 20 05:25:37 ayanokoji systemd[1]: caddy.service: Failed with result 'exit-code'.
Jan 20 05:25:37 ayanokoji systemd[1]: Failed to start Caddy.

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

installed caddy on ubuntu from the debian source and using the apt install caddy

a. System environment:

b. Command:

sudo caddy run --config /etc/caddy/Caddyfile (working)
caddy run --config /etc/caddy/Caddyfile (not working)
sudo systemctl start caddy (start the caddy service)
journalctl -u caddy --no-pager (the error output)

c. Service/unit/compose file:

idk i’m using systemd, ubuntu… and yep.

d. My complete Caddy config:

http://* {
        redir https://{host}{uri}
}

:443 {
        tls /home/mu1x/repositories/mu1x/ssl/mu1x/mu1x.crt /home/mu1x/repositories/mu1x/ssl/mu1x/mu1x.decrypted.key
}

pma {
        root * /usr/share/phpmyadmin/
        file_server
        encode zstd gzip
        php_fastcgi unix//run/php/php-fpm.sock
        try_files {path} {path}/index.php {path}/index.html
}

test {
        reverse_proxy :5173
}

uwu {
        reverse_proxy :4173
}

meow {
        reverse_proxy :3000
}

francislavoie · January 20, 2024, 4:20pm

When running as a systemd service, Caddy as runs as the caddy user, which doesn’t have permission to read files in /home.

You’ll need to move the files to somewhere Caddy can access them from.

itsmu1x · January 20, 2024, 6:36pm

it works, i moved the files to the caddy home folder (/var/lib/caddy)
thank you buddy.

system · February 19, 2024, 6:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.