caddytls: Do not pass fd/ descriptors to ACME listener (fixes #7525)

[m0canu1]

This PR fixes a bug where configuring a systemd file descriptor in bind or default_bind causes the ACME challenge solver to crash with a no such host error.

Fixes #7525

Currently, if a user configures bind fd/3, Caddy passes "fd/3" directly to CertMagic via iss.Challenges.BindHost. It attempts a DNS lookup on the literal string "fd/3". This fails immediately, preventing ACME certificates from being issued or renewed.

This PR intercepts the BindHost before it is passed to CertMagic. If it detects a file descriptor, it leaves the CertMagic ListenHost template blank.

This safely forces CertMagic to fall back to its default behavior (binding to standard ports :80 or :443), bypassing the DNS lookup crash while still allowing the main Caddy server to intercept the challenge traffic via the file descriptor.

I compiled a custom build and ran it locally using systemd-socket-activate to simulate the environment:

Test Caddyfile:

{
    servers {
        protocols h1 h2
    }
}
fake-domain-for-testing.com {
    bind fd/3
    tls {
        ca [https://acme-staging-v02.api.letsencrypt.org/directory](https://acme-staging-v02.api.letsencrypt.org/directory)
    }
    respond "Hello World"
}

Assistance Disclosure

I consulted Gemini to help analyze the root cause of the socket activation bug and generate the code for this fix. I have reviewed the code and verified it is correct.

[francislavoie]

I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD.

[m0canu1]

I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD.

Yeah, it totally makes sense but if you want to use this kind of challenge (HTTP-01 or TLS-ALPN-01) on Let's Encrypt, they don't let you choose an arbitrary port.

Correct me if I'm wrong

[passcod]

they don't let you choose an arbitrary port.

Sure, but the point is to not have caddy bind the ports. Ideally, it lets caddy run without port-binding capabilities.

[gucci-on-fleek]

I think this is makes sense as a temporary fix, but I think we'd probably want certmagic to accept FD because some people don't want Caddy to listen on 80/443 when using FD.

I've opened a PR doing this in caddyserver/certmagic#380.

[m0canu1]

@francislavoie, @passcod what do you think about @gucci-on-fleek's PR for certmagic?

[francislavoie]

It looks fine to me at a glance but @mholt will need to review and merge.

[mholt]

Thanks, will be merging the patch in CertMagic soon. Do we still need this one then?

[m0canu1]

Nope, if you merge the fix in certmagic this one can be ignored

[francislavoie]

I'll close this since we'll go with caddyserver/certmagic#380. Thanks!