Events exec handler - permission denied

Brummbaer · May 3, 2024, 7:15am

1. The problem I’m having:

I’m trying to launch a script every time a certificate is obtained/renewed. I’m using the events.handlers.exec module for that → JSON Config Structure - Caddy Documentation

I always get some permission error, which is strange since the folders are all owned by caddy:caddy and I even tried with a “tmp” subdirectory which has 777.

2. Error messages and/or full log output:

mai 03 08:39:33 pandabaer.lan.somebear.space caddy[92368]: {"level":"debug","ts":1714718373.5122151,"logger":"events","msg":"event","name":"cached_managed_cert","id":"305e9b1c-38fa-4c93-81b4-77c7756b4af6","origin":"tls","data":{"sans":["atest6.lan.somebear.space"]}}
mai 03 08:39:33 pandabaer.lan.somebear.space caddy[92385]: /var/lib/caddy/tmp/dscript.sh: line 3: ./certpath-test: Permission denied
mai 03 08:39:33 pandabaer.lan.somebear.space caddy[92368]: {"level":"error","ts":1714718373.514313,"logger":"events.handlers.exec","msg":"background command failed","error":"exit status 1"}
mai 03 08:39:33 pandabaer.lan.somebear.space caddy[92368]: {"level":"error","ts":1714718373.514313,"logger":"events.handlers.exec","msg":"background command failed","error":"exit status 1"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

I’m using Arch with a binary compiled via xcaddy to add the events.handlers.exec module.

b. Command:

I’m running it through the unit file.

c. Service/unit/compose file:

# /etc/systemd/system/caddy.service
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile
#
# The configuration below serves a welcome page over HTTP on port 80.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses
{
	# Restrict the admin interface to a local unix file socket whose directory
	# is restricted to caddy:caddy. By default the TCP socket allows arbitrary
	# modification for any process and user that has access to the local
	# interface. If admin over TCP is turned on one should make sure
	# implications are well understood.
	admin "unix//run/caddy/admin.socket"
	email "postmaster@somebear.space"

	cert_issuer acme

	log log0 {
		output stdout
		level DEBUG
	}

	events {
		on cert_obtained exec /var/lib/caddy/tmp/dscript.sh {event.data.identifier} {event.data.storage_path}
	}
}

https://atest6.lan.somebear.space {
	tls {
		#on_demand
		issuer acme {
			dir https://pki.lan.ursidae.space:10443/acme/acme/directory
			trusted_roots /etc/caddy/certs/root_ca.crt
			alt_tlsalpn_port 9443
		}
	}

	encode gzip zstd

	respond "it's something"
}

5. Links to relevant resources:

Here is the script I’m currently using and the permissions of the directory

/var/lib/caddy
root@pandabaer pandabaer.lan.somebear.space~caddy # ls -la
total 48
drwxr-x---  8 caddy caddy 4096  3 mai   08:36 .
drwxr-xr-x 59 root  root  4096 19 avril 16:18 ..
drwx------  3 caddy caddy 4096  3 mai   08:36 .config
drwx------  4 caddy caddy 4096  3 mai   08:19 .local
drwx------  3 caddy caddy 4096 12 nov.  10:55 acme
-rw-------  1 caddy caddy 4308 16 avril 19:29 autosave.json
drwx------  3 caddy caddy 4096 12 nov.  13:56 certificates
-rw-------  1 caddy caddy   36 16 avril 19:24 instance.uuid
-rw-------  1 caddy caddy  112  2 mai   20:00 last_clean.json
drwx------  2 caddy caddy 4096  3 mai   08:32 locks
drwxrwxrwx  2 caddy caddy 4096  3 mai   08:31 tmp

Also here is the script - it does not do much currently because I’m trying to find out how to copy the certificate from one place to another right now, so it’s just for testing the output currently and to see if I can get it to output to another file.

#!/bin/bash 

echo $1 $2 > ./certpath-test

Thank you,

matt · May 3, 2024, 2:36pm

Is certpath_test executable?

Brummbaer · May 3, 2024, 3:24pm

That’s the file I’m trying to create under “tmp” also the directory has all permissions (777).

root@pandabaer pandabaer.lan.somebear.space/var/lib/caddy/tmp # ll
total 4
-rwxrwxrwx 1 caddy caddy 27  3 mai   17:21 dscript.sh

matt · May 3, 2024, 4:07pm

But that’s dscript.sh. What is certpath_test?

Brummbaer · May 3, 2024, 5:35pm

That is just the file I want to create for a test with dscript.sh.

Here is the contents of dscript.sh :