https-portal icon indicating copy to clipboard operation
https-portal copied to clipboard
verified publisher icon SteveLTN

use of https_proxy environment in a closed environment

Open GiT-BeDa opened this issue 1 year ago • 1 comments

I am deploying an HTTPS proxy in a closed environment where every request to external resources must go through an HTTP proxy. I have set the http_proxy and https_proxy environment variables and configured Docker to use these (through the systemd file and config.json).

I can successfully deploy my stack, but it appears that HTTPS Portal does not use the proxy to connect to letsencrypt.org; instead, it attempts a direct connection, which fails. Is there a way to make HTTPS Portal connect to Let's Encrypt through the configured proxy?

Signing certificates from https://acme-v02.api.letsencrypt.org/directory ...
Parsing account key...
Parsing CSR...
Found domains: webmail.example.com
Getting directory...
Traceback (most recent call last):
File "/usr/bin/acme_tiny", line 199, in <module>
main(sys.argv[1:])
File "/usr/bin/acme_tiny", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/acme_tiny", line 105, in get_crt
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/acme_tiny", line 46, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [Errno 101] Network is unreachable>

GiT-BeDa avatar Nov 14 '24 00:11 GiT-BeDa

Not currently.

Even if http proxy support is implemented, there is still a problem: Let's Encrypt server must directly access HTTPS-PORTAL on port 80 and 443. In heavily protected network environments, this is usually not possible. Therefore I don't think you should use publicly signed certificates.

Maybe a set of local certificates would work just fine for you? In that case, please have a look at relevant sections in the document.

SteveLTN avatar Nov 22 '24 15:11 SteveLTN

The incoming connection from Let's Encrypt server is not a problem at all, only outgoing connections have to pass the acl on the proxy server to verify that only trusted destinations are reachable from the server. I can open the firewall to the actual ip of "acme-v02.api.letsencrypt.org" but if the ip changes i will lose the connection. It would be a dream if https-portal would be able to connect to a proxy server like squid.

GiT-BeDa avatar Feb 24 '25 11:02 GiT-BeDa