Configuring Certbot to connect via proxy

Hey Guys, I am looking for some help with Certbot. We are testing implementation of our own ACME server for internal Certs using Certbot as the app to manage our Certs. Many of our servers are internal & only proxy out using stunnel. How can I configure Certbot to connect over the proxy port?

Certbot version 1.11.0

Maybe it's possible to use the HTTP_PROXY and HTTPS_PROXY environment variables when calling Certbot?

Also, note that Let's Encrypt can only issue certificates for publicly accessible hostnames.


Thanks Osiris! I was hoping to have it within the config, but if it's not possible, then I'll have to add that into my commands & build my scripts that way. And we're running it through our own ACME server to issue Certs from our own internal CA, so I'm not worried about LE validation.


I've taken those suggestions from the requests documentation here:

I'm not familiar with a setting to set it from within Certbot itself. Might be a good idea to open an issue on GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol. ?


Thank you for that! I'm still not sure if I'm going to do it all in python or just a simple bash script. There's not too much complexity with it seeing as how I can set the ACME server & the keys in the config file & just automate the renewals with a cron job.

1 Like

It seems fairly simple to modify the Certbot code to include a proxy feature. I think :stuck_out_tongue:

Just add a --http-proxy and --https-proxy, parse it into a proxy = {} list in the global configuration and call session.proxies.update(proxies) wherever a session = requests.Session() is being called (notably in the acme library).

Major complication might be DNS plugins using a third party library to connect to the applicable DNS API......


Oh you were talking about modifying the actual code itself. lol. That's not a bad idea either. I'm not as strong with coding, so I'll leave that alone.

Yes, for if using environment variables is not an option. Most users probably can use env-vars tho.


OK, so adding a proxy option isn't that easy as I thought. There are some parts of the code using the requests library which do not have easy access to the general configuration, such as options..


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.