I had many problems. There they were.
- certbot needs top be run while specifying proxy:
export HTTPS_PROXY=http://127.0.0.1:3128 && certbot renew --dry-run. - Squid proxy has to be authorized to go out on Internet through firewall, on IPv4 and IPv6. Something like
iptables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT && ip6tables -A OUTPUT -m owner --uid-owner proxy -j ACCEPTis required (seeiptables/ip6tablesdocumentation if needed). - IPv6 firewall has to authorize ICMPv6 traffic, outgoing and incoming. Something like
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT && ip6tables -A INPUT -p icmpv6 -j ACCEPT(I did not dig around this for specific ICMP type 135 or similar, I’ve just authorized all ICMPv6 traffic for now).
Now everything is OK for manual run.
For automatic run using cron, please edit /etc/cron.d/certbot and add export HTTPS_PROXY=... before the certbot command.
Or, for automatic run using systemd timers, please copy /lib/systemd/system/certbot to /etc/systemd/system and add a line Environment="HTTPS_PROXY=http://127.0.0.1:3128" in the [service] section (and run systemctl daemon-reload to take your new file into account).