What happened?
Happend on a bare metal machine, re-checked it with a clean dockered ubuntu:26.04. While being messy in basic install, same thing happend during post-install.
Following https://docs.crowdsec.net/u/getting_started/installation/linux/, everything works fine, until you reach the last one:
sudo apt install crowdsec-firewall-bouncer-iptables
This will install, with a single line indicating something went wrong:
Installing:
crowdsec-firewall-bouncer-iptables
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 6
Download size: 4,403 kB
Space needed: 15.3 MB / 1,021 GB available
Get:1 https://packagecloud.io/crowdsec/crowdsec/any any/main amd64 crowdsec-firewall-bouncer-iptables amd64 0.0.34 [4,403 kB]
Fetched 4,403 kB in 1s (5,827 kB/s)
Selecting previously unselected package crowdsec-firewall-bouncer-iptables.
(Reading database… 99187 files and directories currently installed.)
Preparing to unpack …/crowdsec-firewall-bouncer-iptables_0.0.34_amd64.deb…
Unpacking crowdsec-firewall-bouncer-iptables (0.0.34)…
Setting up crowdsec-firewall-bouncer-iptables (0.0.34)…
cscli/crowdsec is present, generating API key
API Key successfully created
install: No such file or directory
Created symlink '/etc/systemd/system/multi-user.target.wants/crowdsec-firewall-bouncer.service' → '/etc/systemd/system/crowdsec-firewall-bouncer.service'.
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
In case you do not see it, its install: No such file or directory.
It creates the API key but leaves api_key: ${API_KEY} within the /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.
Whats problematic about this is: Nothing fails directly. apt completes. crowdsec does not mention anything special, sudo systemctl status crowdsec --no-pager is clean.
I just noticed it during the manual check, asking myself why a temporaty ban on my own IP did not work.
Finally looking at the separate service revealed more details, but no reason:
Jun 25 21:00:26 kilo crowdsec-firewall-bouncer[39181]: time="2026-06-25T21:00:26+02:00" level=fatal msg="process terminated with error: bouncer stream halted"
Jun 25 21:00:26 kilo systemd[1]: crowdsec-firewall-bouncer.service: Main process exited, code=exited, status=1/FAILURE
Jun 25 21:00:26 kilo systemd[1]: crowdsec-firewall-bouncer.service: Failed with result 'exit-code'.
I had to go through /var/log/crowdsec-firewall-bouncer.log to see an indication:
time="2026-06-25T21:04:03+02:00" level=error msg="API error: access forbidden"
So basically the normal installation process advertised on your site will not protect anything, if not manually corrected and "perceived" by the user. Not sure everyone checks a systemctl --failed right after installation.
What did you expect to happen?
Set-up the system correctly.
How can we reproduce it (as minimally and precisely as possible)?
docker run --rm -it --privileged ubuntu:26.04 bash
apt update
apt install -y curl gnupg lsb-release ca-certificates apt-transport-https
curl -s https://install.crowdsec.net | sh
apt install crowdsec
# ignore dpkg failure, systemctl will be missing
apt install crowdsec-firewall-bouncer-iptables
cat /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
Anything else we need to know?
No response
version
0.0.25-5build1
crowdsec version
crowdsec version: 1.7.8
OS version
Details
# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 26.04 LTS"
NAME="Ubuntu"
VERSION_ID="26.04"
VERSION="26.04 LTS (Resolute Raccoon)"
VERSION_CODENAME=resolute
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=resolute
LOGO=ubuntu-logo
$ uname -a
Linux kilo 7.0.0-22-generic #22-Ubuntu SMP PREEMPT_DYNAMIC Mon May 25 15:54:34 UTC 2026 x86_64 GNU/Linux
</details>
What happened?
Happend on a bare metal machine, re-checked it with a clean dockered ubuntu:26.04. While being messy in basic install, same thing happend during post-install.
Following https://docs.crowdsec.net/u/getting_started/installation/linux/, everything works fine, until you reach the last one:
This will install, with a single line indicating something went wrong:
In case you do not see it, its
install: No such file or directory.It creates the API key but leaves api_key: ${API_KEY} within the
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.Whats problematic about this is: Nothing fails directly.
aptcompletes. crowdsec does not mention anything special,sudo systemctl status crowdsec --no-pageris clean.I just noticed it during the manual check, asking myself why a temporaty ban on my own IP did not work.
Finally looking at the separate service revealed more details, but no reason:
I had to go through
/var/log/crowdsec-firewall-bouncer.logto see an indication:So basically the normal installation process advertised on your site will not protect anything, if not manually corrected and "perceived" by the user. Not sure everyone checks a
systemctl --failedright after installation.What did you expect to happen?
Set-up the system correctly.
How can we reproduce it (as minimally and precisely as possible)?
Anything else we need to know?
No response
version
0.0.25-5build1
crowdsec version
crowdsec version: 1.7.8
OS version
Details