Possible proxy problem


I’m struggling with creating a certificate on a ubuntu 14.04
virtual machine in a private cloud, though I was able to do so on a
separate VM in the same cloud a week ago. The error I’m getting when
trying to run “./letsencrypt-auto certonly --standalone -d myfqdn” is

HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fa3c6535e90>: Failed to establish a new connection: [Errno 101] Network is unreachable’,))

The private cloud uses a proxy server which I can reflect in the
https_proxy=myproxyurl environment variable and when I do so I can
successfully curl the implied link:

ubuntu@proxy01:~$ curl https://acme-v01.api.letsencrypt.org/directory

I can also retrieve the url from within python using urllib2 which
I suppose therefore must refer to the environment variable but not
with urllib3 which needs to be explicitly told about the proxy:

ubuntu@proxy01:~$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
[GCC 4.8.2] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.

url = ‘https://acme-v01.api.letsencrypt.org/directory
import urllib2
res2 = urllib2.urlopen(url)

import urllib3
http = urllib3.PoolManager()
res3 = http.request(‘GET’, url)
This line hangs - it needs to be explicitly told about the proxy server, i.e.

http = urllib3.ProxyManager(myproxyurl)
res3 = http.request(‘GET’, url)

Noticing that the error I’m getting when I try and create my certificate is from
urllib3 and involves the request timing out I wonder if I need to indicate the proxy settings somehow when I generate. I
am confused however, the server on which I have been able to create
certificates is running the same operating system and letsencrypt
version. Or maybe its something else completely and I need nudging in a different direction. Any help would be much appreciated.


Hi @msouth, I’m not sure that there is a currently-documented thing to do with respect to outbound proxies, but I wanted to point out that the ACME library used by our client is using requests rather than directly using urllib3. So you might want to test using requests and see if you can find a way to tell it to use an outbound proxy.


Thanks for the tip @schoen. In isolation, requests does pay attention to the proxy env variable as can be seen here:

ubuntu@proxy01:~$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> url = 'https://acme-v01.api.letsencrypt.org/directory'
>>> import requests
>>> requests.get(url)
<Response [200]>

The stack trace though (see below) suggests the problem does originate there. It still looks to me as if the client is ignoring the proxy for some reason.

2016-05-04 15:49:15,262:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-04 15:51:22,580:DEBUG:letsencrypt.main:Exiting abnormally:
Traceback (most recent call last):
  File "/home/ubuntu/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 692, in main
    return config.func(config, plugins)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 504, in obtain_cert
    le_client = _init_le_client(config, auth, installer)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 356, in _init_le_client
    acc, acme = _determine_account(config)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 341, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 117, in register
    acme = acme_from_config_key(config, key)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 41, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 63, in __init__
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 627, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 609, in _send_request
    response = requests.request(method, url, *args, **kwargs)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/adapters.py", line 437, in send
    raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb70a899f10>: Failed to establish a new connection: [Errno 101] Network is unreachable',))


In Python 2.7.6 the client uses a different method of making network connections – search for “Prior to Python 2.7.9” in acme/acme/client.py. Would you be able to run the client using Python 2.7.9 or later?


Thanks for you help Seth. In the end this wasnt a problem with python versions. The issue stemmed from not passing the proxy settings (which I set in the http_proxy and https_proxy environment variables) up to the privileged user. So to fix it I ran “sudo -E ./letsencrypt-auto certonly --standalone -d myfqdn”. The embarrassing part of this story is that I’d forgotten I had worked out I needed to do this the first time I tried it (doh).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.