pocketbase: Error: listen tcp x.x.x.x:443: bind: cannot assign requested address

I encountered the same issue on AWS EC2 (Ubuntu 22), and @jimafisk ’s reply solved my issue.

At first:

sudo /root/pb/pocketbase serve --http="example.com:80"
# > Server started at: http://example.com:80
# > ...
# > listen tcp 43.xx.xx.xx:80: bind: cannot assign requested address

The fix:

hostname -I
# this returns the EC2’s private IP address e.g. 172.xx.xx.xx

sudo vi /etc/hosts
# add `172.xx.xx.xx  example.com`

Afterward:

sudo /root/pb/pocketbase serve --http="example.com:80"
# success!

To avoid using sudo, use setcap as described in official guide

sudo setcap 'cap_net_bind_service=+ep' /root/pb/pocketbase

/root/pb/pocketbase serve --http="example.com:80"
# success!

Adding --https=... generate a number of warning/error on the first run, though HTTPS does work in the browser.

/root/pb/pocketbase serve --http="example.com:80" --https="example.com:443"
# 2023/01/20 05:42:51 http: TLS handshake error from 139.xx.xx.xx:55094: acme/autocert: host "43.xx.xx.xx" not configured in HostWhitelist
# ...
# 2023/01/20 05:42:52 http: TLS handshake error from 139.xx.xx.xx:56340: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
# 2023/01/20 05:42:52 http: TLS handshake error from 139.xx.xx.xx:56794: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])
# 2023/01/20 05:42:53 http: TLS handshake error from 139.xx.xx.xx:57104: acme/autocert: host "43.xx.xx.xx" not configured in HostWhitelist
# ...
# 2023/01/20 05:52:24 http: TLS handshake error from 43.xx.xx.xx:41340: acme/autocert: missing server name

According to AWS doc, the private IP would not change unless the instance is terminated so this fix should keep on working(?):

”A private IPv4 address, regardless of whether it is a primary or secondary address, remains associated with the network interface when the instance is stopped and started, or hibernated and started, and is released when the instance is terminated.”

Thank you @ganigeorgiev that worked! ✔️

I ran hostname -I and that returned several IP addresses. The first was the ip4 address that I could see from the Digital Ocean dashboard that I had already tried unsuccessfully, but the second was an internal IP 10.10.0.6 that worked! Just needed to vim /etc/hosts:

10.10.0.6 sub.mydomain.com

Just a couple of notes:

• I’m not managing DNS through Digital Ocean, I just created an A Record from a different registrar and pointed it to the “Reserved IP” I set up for my droplet
• I restarted my droplet from the Digital Ocean dashboard and my custom /etc/hosts entry is still intact
• Restarting the server allowed the systemctl settings you described to work. Before the restart I could /root/pb/pocketbase serve --http="sub.mydomain.com:80" --https="sub.mydomain.com:443" manually to start PocketBase but I couldn’t systemctl enable pocketbase.service --now to get it working in a persistent manner.

Had the same issue of bind: cannot assign requested address when trying to serve with --https

Resolved with @ganigeorgiev and @jimafisk suggestions for adding network address IP to /etc/hosts. No caddy/nginx used 👍

ok. now it’s working. There was couple issue with OracleCloud (adding http/https port on traffic in network configuration tab). Coupke hours later finally I can start to do something with that.

I’m sorry, I’m kinda new to setting up linux servers. I figured it out. I’ve checked ifconfig and got two entries there, one of which had UP,BROADCAST,RUNNING,MULTICAST flags and second UP,LOOPBACK,RUNNING. So I got the ip address from the first one and added it to /etc/hosts like this ip-address domain. Then I ran ./pocketbase serve --http="subdomain.domain:80" --https="subdomain.domain:443" and it worked. I checked it in browser and everything was good. Sorry for wasting your time and thank you for the great work!

I think I might be able to help clear this up.

• when you bind to subdomain.domain.dev:443, golang will resolve the DNS (only once) to get an IP and bind that IP.
• listen tcp x.x.x.x:443: bind: cannot assign requested address - this error occurs when you try to bind to an IP that isn’t local. in linux, you can show the list of local IPs with hostname -I.
• nginx will work because it binds to 0.0.0.0.
• certbot also works because it always binds to 0.0.0.0 in --standalone.

from the comments, subdomain.domain.dev doesn’t resolve to a local IP. hence the error.

it’s especially important to note that binding to a domain will not work with ddns, since golang will resolve the DNS only once.

here’s some workarounds for @noxware:

1. keep nginx as gateway for SSL termination. manual certbot will work with nginx, ddclient will work, pocketbase will work. voila! alternatively, use caddy with Auto TLS – caddy --from subdomain.domain.dev --to localhost:8090 (top of my head, see their docs)
2. can setup loopback to public ip on the RPi. this is beyond pocketbase. simpler setup though.

I highly recommend caddy.

pocketbas can also tackle it by always binding to 0.0.0.0 for https. or maybe separate the https argument into listen and domain. who knows, up to them.

personally, I’d drop https support. luckily i’m not in the pocketbase team 😉

It’s definitely the public one.

I tried with --debug before but I remember that it only showed some sql stuff. I’m gonna try luck with ngnix in a moment.