Events exec handler - permission denied

1. The problem I’m having:

I’m trying to launch a script every time a certificate is obtained/renewed. I’m using the events.handlers.exec module for that → JSON Config Structure - Caddy Documentation

I always get some permission error, which is strange since the folders are all owned by caddy:caddy and I even tried with a “tmp” subdirectory which has 777.

2. Error messages and/or full log output:

mai 03 08:39:33 caddy[92368]: {"level":"debug","ts":1714718373.5122151,"logger":"events","msg":"event","name":"cached_managed_cert","id":"305e9b1c-38fa-4c93-81b4-77c7756b4af6","origin":"tls","data":{"sans":[""]}}
mai 03 08:39:33 caddy[92385]: /var/lib/caddy/tmp/ line 3: ./certpath-test: Permission denied
mai 03 08:39:33 caddy[92368]: {"level":"error","ts":1714718373.514313,"logger":"events.handlers.exec","msg":"background command failed","error":"exit status 1"}
mai 03 08:39:33 caddy[92368]: {"level":"error","ts":1714718373.514313,"logger":"events.handlers.exec","msg":"background command failed","error":"exit status 1"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

I’m using Arch with a binary compiled via xcaddy to add the events.handlers.exec module.

b. Command:

I’m running it through the unit file.

c. Service/unit/compose file:

# /etc/systemd/system/caddy.service
# caddy.service
# For using Caddy with a config file.
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
# See for instructions.
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
# The configuration below serves a welcome page over HTTP on port 80.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
	# Restrict the admin interface to a local unix file socket whose directory
	# is restricted to caddy:caddy. By default the TCP socket allows arbitrary
	# modification for any process and user that has access to the local
	# interface. If admin over TCP is turned on one should make sure
	# implications are well understood.
	admin "unix//run/caddy/admin.socket"
	email ""

	cert_issuer acme

	log log0 {
		output stdout
		level DEBUG

	events {
		on cert_obtained exec /var/lib/caddy/tmp/ {} {}
} {
	tls {
		issuer acme {
			trusted_roots /etc/caddy/certs/root_ca.crt
			alt_tlsalpn_port 9443

	encode gzip zstd

	respond "it's something"

5. Links to relevant resources:

Here is the script I’m currently using and the permissions of the directory

root@pandabaer # ls -la
total 48
drwxr-x---  8 caddy caddy 4096  3 mai   08:36 .
drwxr-xr-x 59 root  root  4096 19 avril 16:18 ..
drwx------  3 caddy caddy 4096  3 mai   08:36 .config
drwx------  4 caddy caddy 4096  3 mai   08:19 .local
drwx------  3 caddy caddy 4096 12 nov.  10:55 acme
-rw-------  1 caddy caddy 4308 16 avril 19:29 autosave.json
drwx------  3 caddy caddy 4096 12 nov.  13:56 certificates
-rw-------  1 caddy caddy   36 16 avril 19:24 instance.uuid
-rw-------  1 caddy caddy  112  2 mai   20:00 last_clean.json
drwx------  2 caddy caddy 4096  3 mai   08:32 locks
drwxrwxrwx  2 caddy caddy 4096  3 mai   08:31 tmp

Also here is the script - it does not do much currently because I’m trying to find out how to copy the certificate from one place to another right now, so it’s just for testing the output currently and to see if I can get it to output to another file.


echo $1 $2 > ./certpath-test

Thank you,

Is certpath_test executable?

1 Like

That’s the file I’m trying to create under “tmp” also the directory has all permissions (777).

root@pandabaer # ll
total 4
-rwxrwxrwx 1 caddy caddy 27  3 mai   17:21

But that’s What is certpath_test?

1 Like

That is just the file I want to create for a test with

Here is the contents of :