[GH-ISSUE #182] Unable to autostart the daemon (if set, key file must exist) #144

New issue

Closed

opened 2026-05-07 00:20:32 +02:00 by BreizhHardware · 4 comments

BreizhHardware commented 2026-05-07 00:20:32 +02:00

Owner

Copy link

Originally created by @A-Nicoladie on GitHub (Mar 21, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/182

Hi,

I am discovering and testing ntfy and I have a small problem:
The installation went well and after launching the service, I receive all expected notifications.

But after a reboot, the service does not start automatically 😟
It seems to be an access rights issue (maybe), but I'm not sure what's the best approach to solve this.

Here some info:

systemctl enable ntfy and systemctl start ntfy return no error.

sudo -H -u root bash -c '/usr/bin/ntfy serve'

2022/03/21 13:36:01 Listening on :PRIVATE[https]
2022/03/21 13:37:01 Stats: 0 message(s) published, 0 in cache, 0 successful mails, 0 failed, 3 topic(s) active, 3 subscriber(s), 1 visitor(s)

sudo -H -u ntfy bash -c '/usr/bin/ntfy serve'

if set, key file must exist

systemctl list-units | grep ntfy

● ntfy-client.service          loaded failed failed    ntfy client
● ntfy.service                 loaded failed failed    ntfy server

cat /etc/ntfy/server.yml

base-url: "https://PRIVATE"
listen-http: "-"
listen-https: ":PRIVATE"
key-file: /etc/letsencrypt/live/PRIVATE/privkey.pem
cert-file: /etc/letsencrypt/live/PRIVATE/fullchain.pem

cat -n /var/log/syslog

...
6031	Mar 21 14:59:42 PRIVATE systemd[1]: Started ntfy server.
6032	Mar 21 14:59:43 PRIVATE ntfy[4491]: if set, key file must exist
6033	Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Main process exited, code=exited, status=1/FAILURE
6034	Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Failed with result 'exit-code'.
6035	Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Service hold-off time over, scheduling restart.
6036	Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Scheduled restart job, restart counter is at 1.
6037	Mar 21 14:59:43 PRIVATE systemd[1]: Stopped ntfy server.
...

cat /lib/systemd/system/ntfy.service

[Unit]
Description=ntfy server
After=network.target

[Service]
User=ntfy
Group=ntfy
ExecStart=/usr/bin/ntfy serve
Restart=on-failure
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=10000

[Install]
WantedBy=multi-user.target

ls -l /usr/bin/ntfy

-rwxr-xr-x 1 root root 18725152 mars  17 00:39 /usr/bin/ntfy

sudo -H -u root bash -c 'ls -l /etc/letsencrypt/live/PRIVATE/privkey.pem'

lrwxrwxrwx 1 root root 44 janv. 27 04:02 /etc/letsencrypt/live/PRIVATE/privkey.pem -> ../../archive/PRIVATE/privkey20.pem

sudo -H -u ntfy bash -c 'ls -l /etc/letsencrypt/live/PRIVATE/privkey.pem'

ls: cannot access '/etc/letsencrypt/live/PRIVATE/privkey.pem': Permission denied

sudo -H -u root bash -c 'ls -l /etc/letsencrypt/archive/PRIVATE/privkey20.pem'

-rw-r--r-- 1 root root 1708 janv. 27 04:02 privkey20.pem

Originally created by @A-Nicoladie on GitHub (Mar 21, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/182 Hi, I am discovering and testing ntfy and I have a small problem: The installation went well and after launching the service, I receive all expected notifications. But after a reboot, the service does not start automatically 😟 It seems to be an access rights issue (maybe), but I'm not sure what's the best approach to solve this. Here some info: `systemctl enable ntfy` and `systemctl start ntfy` return no error. <!-- ------------------------------ Run as root ------------------------------ --> <details open> <summary>sudo -H -u root bash -c '/usr/bin/ntfy serve'</summary> ``` 2022/03/21 13:36:01 Listening on :PRIVATE[https] 2022/03/21 13:37:01 Stats: 0 message(s) published, 0 in cache, 0 successful mails, 0 failed, 3 topic(s) active, 3 subscriber(s), 1 visitor(s) ``` </details> <!-- ------------------------------ Run as ntfy ------------------------------ --> <details open> <summary>sudo -H -u ntfy bash -c '/usr/bin/ntfy serve'</summary> ``` if set, key file must exist ``` </details> <!-- ------------------------------ systemctl list-units ------------------------------ --> <details> <summary>systemctl list-units | grep ntfy</summary> ```shell ● ntfy-client.service loaded failed failed ntfy client ● ntfy.service loaded failed failed ntfy server ``` </details> <!-- ------------------------------ ntfy.service ------------------------------ --> <details> <summary>cat /etc/ntfy/server.yml</summary> ```ini base-url: "https://PRIVATE" listen-http: "-" listen-https: ":PRIVATE" key-file: /etc/letsencrypt/live/PRIVATE/privkey.pem cert-file: /etc/letsencrypt/live/PRIVATE/fullchain.pem ``` </details> <!-- ------------------------------ ------------------------------ --> <details> <summary>cat -n /var/log/syslog</summary> ``` ... 6031 Mar 21 14:59:42 PRIVATE systemd[1]: Started ntfy server. 6032 Mar 21 14:59:43 PRIVATE ntfy[4491]: if set, key file must exist 6033 Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Main process exited, code=exited, status=1/FAILURE 6034 Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Failed with result 'exit-code'. 6035 Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Service hold-off time over, scheduling restart. 6036 Mar 21 14:59:43 PRIVATE systemd[1]: ntfy.service: Scheduled restart job, restart counter is at 1. 6037 Mar 21 14:59:43 PRIVATE systemd[1]: Stopped ntfy server. ... ``` </details> <!-- ------------------------------ ntfy.service ------------------------------ --> <details> <summary>cat /lib/systemd/system/ntfy.service</summary> ```ini [Unit] Description=ntfy server After=network.target [Service] User=ntfy Group=ntfy ExecStart=/usr/bin/ntfy serve Restart=on-failure AmbientCapabilities=CAP_NET_BIND_SERVICE LimitNOFILE=10000 [Install] WantedBy=multi-user.target ``` </details> <!-- ------------------------------ ntfy ------------------------------ --> <details> <summary>ls -l /usr/bin/ntfy</summary> ``` shell -rwxr-xr-x 1 root root 18725152 mars 17 00:39 /usr/bin/ntfy ``` </details> <!-- ------------------------------ SSL Live ------------------------------ --> <details> <summary>sudo -H -u root bash -c 'ls -l /etc/letsencrypt/live/PRIVATE/privkey.pem'</summary> ``` lrwxrwxrwx 1 root root 44 janv. 27 04:02 /etc/letsencrypt/live/PRIVATE/privkey.pem -> ../../archive/PRIVATE/privkey20.pem ``` </details> <details> <summary>sudo -H -u ntfy bash -c 'ls -l /etc/letsencrypt/live/PRIVATE/privkey.pem'</summary> ``` ls: cannot access '/etc/letsencrypt/live/PRIVATE/privkey.pem': Permission denied ``` </details> <!-- ------------------------------ SSL Archive --> <details> <summary>sudo -H -u root bash -c 'ls -l /etc/letsencrypt/archive/PRIVATE/privkey20.pem'</summary> ``` -rw-r--r-- 1 root root 1708 janv. 27 04:02 privkey20.pem ``` </details>

BreizhHardware 2026-05-07 00:20:32 +02:00

• closed this issue
• added the
  question
  label

BreizhHardware commented 2026-05-07 00:20:33 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Mar 21, 2022):

Hey @A-Nicoladie thanks for trying out ntfy. Yeah that looks like a permissions issue.

The ntfy systemd service runs as use ntfy as you have already figured out, so key and cert file have to be readable by that user. There are multiple ways to solve this:

1. Run ntfy behind a proxy (nginx, Apache2, caddy, ...)

If you run ntfy behind a proxy (instructions here: https://ntfy.sh/docs/config/#nginxapache2caddy), you can put all of the cert management in there and run multiple services on different subdomains as well. It's the most common approach, unless you are only running ntfy and nothing else.

In this case, you'd run ntfy on :1234/http or some other port (not https) and let nginx handle the SSL termination.

2. Run ntfy systemd service as root (don't do this ⛔)

You can systemctl edit ntfy and manually override the User/Group like this. This way, you'll be able to read the cert no matter what.

[Service]
User=root
Group=root

3. Copy certs to /etc/ntfy and chown them

You can copy the cert and keyfile from /etc/letsencrypt/... to /etc/ntfy and make sure that they are readable by the ntfy user by chown ntfy:ntfy ... them. Then also make sure that you have a post_hook in the certbot config, like this:

root@ntfy:/etc/cron.d# cat /etc/letsencrypt/renewal/ntfy.sh.conf
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/ntfy.sh
cert = /etc/letsencrypt/live/ntfy.sh/cert.pem
privkey = /etc/letsencrypt/live/ntfy.sh/privkey.pem
chain = /etc/letsencrypt/live/ntfy.sh/chain.pem
fullchain = /etc/letsencrypt/live/ntfy.sh/fullchain.pem

# Options used in the renewal process
[renewalparams]
...
post_hook = /script/to/move/and/chown/the/keyfiles.sh

<!-- gh-comment-id:1073992295 --> @binwiederhier commented on GitHub (Mar 21, 2022): Hey @A-Nicoladie thanks for trying out ntfy. Yeah that looks like a permissions issue. The ntfy systemd service runs as use `ntfy` as you have already figured out, so key and cert file have to be readable by that user. There are multiple ways to solve this: ### 1. Run ntfy behind a proxy (nginx, Apache2, caddy, ...) If you run ntfy behind a proxy (instructions here: https://ntfy.sh/docs/config/#nginxapache2caddy), you can put all of the cert management in there and run multiple services on different subdomains as well. It's the most common approach, unless you are only running ntfy and nothing else. In this case, you'd run ntfy on `:1234/http` or some other port (not https) and let nginx handle the SSL termination. ### 2. Run `ntfy` systemd service as root (don't do this :no_entry:) You can `systemctl edit ntfy` and manually override the `User`/`Group` like this. This way, you'll be able to read the cert no matter what. ``` [Service] User=root Group=root ``` ### 3. Copy certs to `/etc/ntfy` and chown them You can copy the cert and keyfile from `/etc/letsencrypt/...` to `/etc/ntfy` and make sure that they are readable by the ntfy user by `chown ntfy:ntfy ...` them. Then also make sure that you have a `post_hook` in the `certbot` config, like this: ``` root@ntfy:/etc/cron.d# cat /etc/letsencrypt/renewal/ntfy.sh.conf # renew_before_expiry = 30 days version = 0.40.0 archive_dir = /etc/letsencrypt/archive/ntfy.sh cert = /etc/letsencrypt/live/ntfy.sh/cert.pem privkey = /etc/letsencrypt/live/ntfy.sh/privkey.pem chain = /etc/letsencrypt/live/ntfy.sh/chain.pem fullchain = /etc/letsencrypt/live/ntfy.sh/fullchain.pem # Options used in the renewal process [renewalparams] ... post_hook = /script/to/move/and/chown/the/keyfiles.sh ```

BreizhHardware commented 2026-05-07 00:20:33 +02:00

Author

Owner

Copy link

@A-Nicoladie commented on GitHub (Mar 21, 2022):

Thank you !
Copy certs work like a charm.

(Running ntfy behind a proxy seems a bit complicated for me at the moment.)

<!-- gh-comment-id:1074062891 --> @A-Nicoladie commented on GitHub (Mar 21, 2022): Thank you ! Copy certs work like a charm. (Running ntfy behind a proxy seems a bit complicated for me at the moment.)

BreizhHardware commented 2026-05-07 00:20:33 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Mar 21, 2022):

Glad I could help. Don't forget the post_hook, otherwise you're gonna have a bad time in 3 months. Be kind to future-you.

<!-- gh-comment-id:1074066530 --> @binwiederhier commented on GitHub (Mar 21, 2022): Glad I could help. Don't forget the `post_hook`, otherwise you're gonna have a bad time in 3 months. Be kind to future-you.

BreizhHardware commented 2026-05-07 00:20:33 +02:00

Author

Owner

Copy link

@A-Nicoladie commented on GitHub (Mar 21, 2022):

Yes, you right 😁
I tried to force a renewal (certbot renew --force-renewal) to see if files changes. All is OK 😉

<!-- gh-comment-id:1074084932 --> @A-Nicoladie commented on GitHub (Mar 21, 2022): Yes, you right 😁 I tried to force a renewal (`certbot renew --force-renewal`) to see if files changes. All is OK 😉

BreizhHardware referenced this issue 2026-05-07 00:22:15 +02:00

[GH-ISSUE #319] Consider Including a Matrix Gateway endpoint as part of ntfy #248

BreizhHardware referenced this issue 2026-05-07 01:00:46 +02:00

[GH-ISSUE #1726] Authenticated free-tier users should be rate-limited by user ID, not IP address #1198

BreizhHardware referenced this issue 2026-05-07 01:00:47 +02:00

[GH-ISSUE #1726] Authenticated free-tier users should be rate-limited by user ID, not IP address #1198

BreizhHardware referenced this issue 2026-05-07 01:01:05 +02:00

[PR #145] [MERGED] WIP: Rate limit exemption #1225

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#144

No description provided.