Why System.CalloutException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 503 Service Unavailable” occur

When we make authenticated web service callout from Salesforce, the call sometimes fails with this error "Unable to tunnel through proxy. Proxy returns “HTTP/1.1 503 Service Unavailable". The error usually comes when the Firewall at the external system blocks the calls made from Salesforce. So The request never reach the web-service hosted at the external server and get the response back.

Below are few of the reasons that could cause this issue.

  • Check if your firewall is configured to allow the traffic from Salesforce. Whitelist Salesforce IP ranges in your firewall. . Here is the document from Salesforce regarding Whitelisting Salesforce IPs

  • Could be a certificate issue. 
    • The certificate might be an expired one.
    • The certificate chain should be valid in correct order and trusted by Salesforce. The order of certificate should be Server certificate --> Intermediate certificate that signed the server's certificate --> Next Intermediate certificate and so on till the one before root certificate. The root certificate should be the one trusted by Salesforce.  To review a current list of supported CA certificates, you can append /cacerts.jsp to any instance URL. - can check the certificate issue using SSL checker or OpenSSL tools. With OpenSSL installed, Run the following command to test your server, replacing with your server's hostname and port. This command shows all the certificates returned during SSL handshake.

                    openssl s_client -connect -showcerts

    • If you are using 2 way SSL,  Salesforce can present either self signed or CA signed certificate during the call. Make sure that this certificate is added in the callout and installed in external server.

  • Issue with incorrect DNS configuration. One such scenario was DNS server returning NXDOMAIN response for AAAA queries, Instead of NODATA even though the domain had A record.

Let me know if you know any other reasons which can cause the issue. Thank you for your time in checking this article.

Cheers :)