Proxy_http not recorded in the conf

Hi, wanting to use let’s encrypt with a private ip, I used the command

env https_proxy="https://proxy.unige.ch:3128" \
      certbot certonly --preferred-challenges dns-01 \
                              --authenticator manual \
                              --domain virtunix.unige.ch \
                              --manual-public-ip-logging-ok

This is working well.

But the automagically renew process failed, I’ve got:

 # certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/virtunix.unige.ch.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/virtunix.unige.ch.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/virtunix.unige.ch/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Trying to solve this, I have relaunched the certonly command instead of the renew. So somehow, I’m not able to test the renew command anymore :frowning:

But, what I found suspect, is how can certbot knows that it should use https_proxy when doing the renew as my conf looks like:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/virtunix.unige.ch
cert = /etc/letsencrypt/live/virtunix.unige.ch/cert.pem
privkey = /etc/letsencrypt/live/virtunix.unige.ch/privkey.pem
chain = /etc/letsencrypt/live/virtunix.unige.ch/chain.pem
fullchain = /etc/letsencrypt/live/virtunix.unige.ch/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = 78f31fa68457a7390ae2f27ca8b6e16f
pref_challs = dns-01,
manual_public_ip_logging_ok = True

As you can see, there is no mention of https_proxy in it.

That's because it is an environment variable, not actual input into certbot directly.

I'm surprised it even works :stuck_out_tongue:

You should run certbot renew in the same way you've run the initial command: with the environment variable in front of it.

1 Like

I’d love to know how to pass https_proxy to certbot ?

In your first post you said “This is working well.”? So you already know how to do it, right?

Perhaps you mean the cron job? If you installed Certbot from your operating system’s package manager, it probably placed the cron job in /etc/cron.d, look there and if you find it you should be able to add the proxy before the certbot command just as you did in the shell.

That won’t solve your problem though - or at least not by itself.

The immediate reason your renewal is failing is because certbot renew doesn’t work with the manual authenticator unless you do some scripting. This is because the renewal is meant to run unattended, and so it can’t ask you to perform the manual steps because you might not be there. So you need to provide scripts to perform the “manual” steps automatically.

Since you’re using the DNS-01 challenge, you might actually be better off using another client such as acme.sh instead of Certbot, as it has built-in support for automated renewals with a number of popular DNS providers.

Another option is to try to get one of Certbot’s other authenticators working, such as apache or webroot, as they all support automated renewals except manual. That’s admittedly difficult with a private IP though.

If you’re not actually interested in automated renewals, just run the same certonly command again each time you want to renew manually.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.