Windows Proxy no user/password

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: testssc.nl

I ran this command: certbot certonly --manual --register-unsafely-without-email --eab-kid=*** --eab-hmac-key=*** --server "http://acme.digicert.com/v2/acme/directory/" -d testssc.nl

It produced this output: acme.errors.ClientError: <Response [407]>

My web server is (include version): Windows Server 2019/IIS

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

I receive an error on our internal proxy server: there is no user/password supplied. I notice certbot uses the proxy settings from Microsoft Edge. But there is no option for me to supply credentials. Does anyone know where I can add credentials with the proxy server?

@certbot-devs Currently, the Certbot documentation does not provide any information about using Certbot in combination with a proxy. Any thoughts here? Especially as I'm not sure if environment variables used by requests are working on Windows. Or how to do that anyway..

3 Likes

Proxy servers can be configured to allow anonymous access to specific URLs/sites/domains/IPs/etc.

1 Like

@rg305 Is true but really don’t want to do this because off office policy. If there is no way out this is my only option but I don’t know why you just can’t supply credentials

1 Like

Since you're on Windows, your best option is probably to use a Windows-specific ACME client, like Certify the Web or win-acme.

2 Likes

But do those allow for proxy creds?

1 Like

Office policy isn't being broken by allowing anonymous access to specific URLs.
How does the office allow the printers to get their updates?

2 Likes

I assume they'll inherit the OS config.

Which ? ? ? ?

1 Like

@9peppe Thanks, will look into this other client. I’ve been using certbot because the CA supports this in their documentation. But maybe I can get win-acme working. Win-acme does offer proxy credentials in their documentation. :slight_smile:

1 Like

I actually have no idea.

1 Like

It should be possible to use a proxy with Certbot on Windows, but it's true that we don't have any documentation for it. We ideally should, but how to do it isn't a request that I see come up much.

It should be possible to do with environment variables. See Advanced Usage — Requests 2.26.0 documentation. The relevant bit is:

...by default Requests relies on the proxy configuration defined by standard environment variables http_proxy , https_proxy , no_proxy and curl_ca_bundle . Uppercase variants of these variables are also supported. You can therefore set them to configure Requests (only set the ones relevant to your needs):

$ export HTTP_PROXY="http://10.10.1.10:3128"
$ export HTTPS_PROXY="http://10.10.1.10:1080"
$ python
>>> import requests
>>> requests.get('http://example.org')

To use HTTP Basic Auth with your proxy, use the http://user:password@host/ syntax in any of the above configuration entries:

$ export HTTPS_PROXY="http://user:pass@10.10.1.10:1080"
$ python
>>> proxies = {'http': 'http://user:pass@10.10.1.10:3128/'}

The command for setting the environment variables in these examples is for UNIX, but doing the equivalent thing in Windows batch/powershell should work.

4 Likes

@DannyE Doesn't your Edge proxy settings already incorporate the username/password? Isn't it a little bit strange it would use the address data for the proxy from Edge, but not the username/password? How does Edge even manage username/passwords for proxies? So many unknowns for me :stuck_out_tongue:

2 Likes

Thanks for mentioning Certify The Web but we actually don't officially support proxies because there are too many variables when it comes to extended things like scripted deployments etc. It is of course technically possible (I just don't want to debug people's proxy settings for them) and I think both win-acme and posh-acme have explicit proxy support. The best approach is to use a transparent proxy.

4 Likes

@Osiris edge uses your windows login credentials but certbot runs on local system.

@bmw thank you. I will try this and let you know. Have been fooling around with these settings but couldn’t got it working. But maybe with this little documentation I will

1 Like

You need to set a new http_proxy variable and you don't need to change anything.

Just open a administrative cmd and enter:

set HTTP_PROXY=http://proxy_userid:proxy_password@proxy_ip:proxy_port
1 Like

So now....

[by simply issuing a SET command]
Anything that can reach any command prompt can have your proxy_userid and proxy_password - which is likely an AD account with other privileges.

I don't know if I'll be able to sleep tonight - LOL

1 Like

Can't Windows set environment variables per command call?

1 Like

All things set in Windows are visible to all command prompts.
[I hope that answers your question]

A solution is Windows containers - but I'm not going down that path.

1 Like

@rg305 I believe this is why service accounts exist which you can lock to certain computers.