I have an internal gitlab service that’s configured to use LetsEncrypt (LE) certificate. This LE certificate is set to auto renew 30 prior to expiration. I have configured Argo tunnel to restrict this service via One-Time Pin.
So far, all good: when I access the service, I’m prompted to enter email address where the pin would be mailed. However, it has now been two months and the LE renewal is failing. Looking at the logs, it seems like when the certbot tries to renew the certificate, the Argo Tunnel authentication is intercepting/preventing the cert from getting renewed. Here’s a log snip:
Detail: Invalid response from https://.cloudflareaccess.com/cdn-cgi/access/login/gitlab.mydomain.com?kid=xxxxxxx
I’m using NginxProxyManager for the LE cert management/renewal. The command that’s failing is:
warning Command failed: /usr/bin/certbot renew --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-1” --preferred-challenges “dns,http” --disable-hook-validation
How do I configure my internal service that’s exposed via Argo tunnel to successfully renew LE cert?