Argo Tunnel, LetsEncrypt Renewal problem

I have an internal gitlab service that’s configured to use LetsEncrypt (LE) certificate. This LE certificate is set to auto renew 30 prior to expiration. I have configured Argo tunnel to restrict this service via One-Time Pin.
So far, all good: when I access the service, I’m prompted to enter email address where the pin would be mailed. However, it has now been two months and the LE renewal is failing. Looking at the logs, it seems like when the certbot tries to renew the certificate, the Argo Tunnel authentication is intercepting/preventing the cert from getting renewed. Here’s a log snip:

Domain: gitlab.mydomain.com
Type: unauthorized
Detail: Invalid response from https://.cloudflareaccess.com/cdn-cgi/access/login/gitlab.mydomain.com?kid=xxxxxxx

I’m using NginxProxyManager for the LE cert management/renewal. The command that’s failing is:
:warning: warning Command failed: /usr/bin/certbot renew --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-1” --preferred-challenges “dns,http” --disable-hook-validation

How do I configure my internal service that’s exposed via Argo tunnel to successfully renew LE cert?

This is an Access policy problem, rather than an Argo Tunnel problem.

The easiest way is to use the Certbot DNS plugin.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

The alternative is to create a bypass policy. The old docs give an example for Let’s Encrypt.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.