Certbot behind a forward proxy

Hi.

I have the certbot client installed on a server that cannot access to Internet directly. This server can go out on Internet through a Squid proxy installed on localhost.

The command certbot renew --dry-run hits the firewall instead of going through the proxy. And thus nothing works.

I have set up the usual shell variables http_proxy like that:
— cut here —
root@server:~# export http_proxy=http://localhost:3128; export https_proxy=http://localhost:3128; export HTTP_PROXY=http://localhost:3128; export HTTPS_PROXY=http://localhost:3128; certbot renew --dry-run
— cut here —

But still nothing works: it hits on firewall instead of Squid.

When I test the shell variables through:
— cut here —
wget https://google.com
— cut here —
or
— cut here —
root@server:~# python
Python 2.7.13 (default, Nov 24 2017, 17:33:09)
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get('https://google.com')
— cut here —

The requests go through the proxy as expected.

What have I missed?

Thanks!

certbot should respect and use the environment variables as you’ve set them: https://github.com/certbot/certbot/issues/5136

Unless something has changed in the certbot code in the mean time…

What is the exact certbot output?

Thanks a lot. I’ve waited a loooong time to get the output. This output is correct, and certbot operates correctly.

But in fact I have an IPv6 problem: the “letsencrypt” DNS resolves as IPv6 and IPv4. When it resolves as IPv6, the network requests want to go out directly and are eaten by the firewall. Then, after the looooong timeout, the DNS falls back to the other entries, the IPv4 entries, and finally it works.

So I move forward my issue, maybe not related to certbot? How can I force IPv4 use, or how can I set up “http_proxy” to work with IPv4 and IPv6?

1 Like

I had many problems. There they were.

  1. certbot needs top be run while specifying proxy: export HTTPS_PROXY=http://127.0.0.1:3128 && certbot renew --dry-run.
  2. Squid proxy has to be authorized to go out on Internet through firewall, on IPv4 and IPv6. Something like iptables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT && ip6tables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT is required (see iptables / ip6tables documentation if needed).
  3. IPv6 firewall has to authorize ICMPv6 traffic, outgoing and incoming. Something like ip6tables -A OUTPUT -p icmpv6 -j ACCEPT && ip6tables -A INPUT -p icmpv6 -j ACCEPT (I did not dig around this for specific ICMP type 135 or similar, I’ve just authorized all ICMPv6 traffic for now).

Now everything is OK for manual run.

For automatic run using cron, please edit /etc/cron.d/certbot and add export HTTPS_PROXY=... before the certbot command.

Or, for automatic run using systemd timers, please copy /lib/systemd/system/certbot to /etc/systemd/system and add a line Environment="HTTPS_PROXY=http://127.0.0.1:3128" in the [service] section (and run systemctl daemon-reload to take your new file into account).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.