Creating through proxy fails but env set correctly

Hey everyone,

I am trying to create a certificate through a proxy server. Internet works fine except for certbot. Eg.:

# curl  https://acme-v02.api.letsencrypt.org/directory
{
  "P8aHyK21ch0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

while env settings are all set:

# env|grep http
ftp_proxy=http://172.17.1.68:8888/
https_proxy=http://172.17.1.68:8888/
HTTPS_PROXY=http://172.17.1.68:8888/
HTTP_PROXY=http://172.17.1.68:8888/
http_proxy=http://172.17.1.68:8888/

and

# grep DefaultEnv /etc/systemd/system.conf
#DefaultEnvironment=
DefaultEnvironment=https_proxy=http://172.17.1.68:8888 http_proxy=http://172.17.1.68:8888 HTTPS_PROXY=http://172.17.1.68:8888 HTTP_PROXY=http://172.17.1.68:8888

But when creating the certificate we get a "Network is unreachable" error

# sudo certbot certonly --register-unsafely-without-email --agree-tos  --preferred-challenges dns -d crm.linkscrambler.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using AWS Route53 for
DNS). (dns-route53)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-route53, Installer None
An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Please see the logfiles in /var/log/letsencrypt for more details.

OS is Debian 11

Any help would be highly appreciated!

Thanks

What shows?:
certbot --version

Ok, you got me there. I was running certbot 1.12.0 but I removed it, installed snapd, certbot, certbot-dns-route53 and now

~# certbot --version
certbot 2.11.0

but still:

# sudo certbot certonly --register-unsafely-without-email --agree-tos  --preferred-challenges dns -d crm.linkscrambler.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Obtain certificates using a DNS TXT record (if you are using AWS Route53 for
DNS). (dns-route53)
3: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
4: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 2
An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Don't think sudo normally keeps env variables

The same from root. Tried both sudo user and root, the copy paste was from the user terminal. root has the same env variables.

Check:

Note: I don't use Debian...

Show:
grep -i environ /etc/systemd/system/snap.certbot.renew.service

Well, HTTPS_PROXY should work:

server ~ # HTTPS_PROXY=https://localhost/ certbot show_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ProxyError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ProxyError('Unable to connect to proxy', SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'localhost'. (_ssl.c:1004)"))))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
server ~ # 

(I'm not running a proxy on localhost, just testing the HTTPS_PROXY environment variable.. Without it Certbot of course works like a charm.)

But I'm not using Snap. Looking at the Certbot v1.9.0 changelog though, it should also work with Snap:

• Upgraded the version of httplib2 used in our snaps and Docker images to add support for proxy environment variables (…)

Indeed, it worked fine but after a clean install. Maybe the old certbot version was not removed correctly or some leftover changes from when trying to troubleshoot it the first time.

Thank you all for your time and support

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.