ProxyError "Cannot connect to proxy"

My domain is:
goslnet.gov.lc

I ran this command:
certbot certonly --apache

It produced this output:
requests.exceptions.ProxyError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ProxyError('Cannot connect to proxy.', timeout('timed out')))

My web server is (include version):
Apache 2.4.43

The operating system my web server runs on is (include version):
openSUSE Leap 15.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.26.0

Note:
I use a squidproxy server which is set in /etc/environment and the server connects to it fine (only way to get internet access is through the proxy, and the server has internet access). Squidproxy access log shows this error when certbot fails:

NONE/503 0 CONNECT acme-v02.api.letsencrypt.org:443 - HIER_NONE/- -

Hi @xcenai, and welcome to the LE community forum :slight_smile:

The source IP of the proxy might be blocked by LE.
Please show the outputs (through the proxy) of:

  • http://ifconfig.co
  • https://acme-v02.api.letsencrypt.org/directory
1 Like

results for http://ifconfig.co

TCP_TUNNEL/200 3847 CONNECT ifconfig.co:443 - HIER_DIRECT/104.21.25.86 -

results for https://acme-v02.api.letsencrypt.org/directory:

NONE/503 0 CONNECT acme-v02.api.letsencrypt.org:443 - HIER_NONE/- -

Using curl on https://ifconfig.co results in a successful connection. The results show my ip address. Not sure if it is safe to post it online here.

@lestaff, please check IP 104.21.25.86 for blocking

1 Like

Note that Let's Encrypt needs to be able to connect to goslnet.gov.lc on port 80 (for the http-01 challenge) or port 443 (for the tls-alpn-01 challenge) to validate your hosntame. If your server has difficulty to connecto the outside world, how would the Let's Encrypt validation server be able to connect to your server?

Also, I noticed that goslnet.gov.lc does not have an IP address associated with it, so Let's Encrypt won't be able to connect to it anyway. That leaves the dns-01 challenge.

That's a Cloudflare IP address, probably the address resolved for ifconfig.co from OPs location. (I'm getting a different one from Europe.)

3 Likes

Ok I think I can figure out the problem now. From what I understand, the web server needs to be public facing. Our webservers are internal. Sorry, my mistake.

1 Like

Or use the dns-01 challenge. But in that case, at least your domain name needs to be accessible from the internet.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.