let’s encrypt via proxy server under debian

i prefer to have strict DROP policy for the outgoing traffic from production servers. let’s encrypt API endpoint is behind Akamai’s CDN and IP address to which acme-v02.api.letsencrypt.org resolves changes frequently. i don’t like playing whack-a-mole every 3 months so i’ve:

  • set up a squid-based proxy server that allows for filtering based on domain names: /etc/squid/squid.conf
    acl src_web2 src 19.18.17.16 # ip of the web server with let's encrypt certbot
    acl dst_letsencryptacmeapi dstdomain acme-v01.api.letsencrypt.org
    acl dst_letsencryptacmeapi dstdomain acme-staging-v02.api.letsencrypt.org
    acl dst_letsencryptacmeapi dstdomain acme-v02.api.letsencrypt.org
    http_access allow src_web2 dst_letsencryptacmeapi
    http_access deny src_web2
    
  • told let’s encrypt to use a proxy server
    by creating /etc/systemd/system/certbot.service.d/env-proxy.conf with:

    [Service]
    # that's the address of proxy server
    Environment="HTTPS_PROXY=http://1.2.3.4:3128"
    

    and running: systemctl daemon-reload

Leave a Reply

Your email address will not be published. Required fields are marked *

 

(Spamcheck Enabled)