fbda1b4beb
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
7.6 KiB
NPM SSL with DNS (Cloudflare) – "Internal Error" / PyPI Connection Failure
Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation
Symptom: When requesting an SSL certificate in Nginx Proxy Manager (NPM) using DNS Challenge with Cloudflare, you see:
- Internal Error
- Warnings:
Retrying ... after connection broken by 'NewConnectionError(... [Errno -3] Try again')': /simple/certbot-dns-cloudflare/ ERROR: Could not find a version that satisfies the requirement certbot-dns-cloudflareERROR: No matching distribution found for certbot-dns-cloudflare
Cause
NPM runs Certbot inside its container (LXC). When you request a DNS (Cloudflare) certificate, NPM tries to install the certbot-dns-cloudflare Python package from PyPI (pypi.org). The error means the NPM container cannot reach the internet (or PyPI):
- DNS: The container may not be able to resolve
pypi.org(e.g. no working DNS in the container). - Outbound: The container may have no default route or outbound access (firewall, network, or Proxmox/LXC network config).
So the failure is network (no PyPI), not your Cloudflare credentials.
Diagnostics: resolv.conf looks good but "Temporary failure in name resolution"
If /etc/resolv.conf has valid nameservers (e.g. 192.168.11.1, 8.8.8.8) but ping pypi.org still fails with "Temporary failure in name resolution", run these on the Proxmox host (replace 10233 with your NPM VMID):
# Can the container reach the internet by IP?
pct exec 10233 -- ping -c 2 8.8.8.8
# Can it resolve if we force IPv4?
pct exec 10233 -- ping -4 -c 2 pypi.org
# Direct DNS query (if nslookup or getent is installed)
pct exec 10233 -- nslookup pypi.org 8.8.8.8
# or
pct exec 10233 -- getent hosts pypi.org
- If ping 8.8.8.8 works but nslookup/getent fails: the container has outbound IP but DNS queries are failing (e.g. UDP/53 blocked, or DNS not reachable from the CT).
- If ping 8.8.8.8 fails: the container has no outbound route; check the CT’s network (bridge, gateway) and any firewall on the host or LAN.
- If ping -4 pypi.org works: the issue may be IPv6; you can set the CT to use only IPv4 DNS or fix IPv6 connectivity.
Proxmox CT DNS (host-managed): Ensure the container gets DNS from the host. On the Proxmox host:
# Check CT config for nameserver
pct config 10233 | grep -E 'nameserver|search'
# Set DNS for the CT (host injects into resolv.conf); use your LAN DNS or 8.8.8.8
pct set 10233 --nameserver 8.8.8.8
# or multiple
pct set 10233 --nameserver "192.168.11.1 8.8.8.8"
Then from inside the container (or pct exec 10233 -- bash), run ping -c 2 pypi.org again. If it still fails, the container may not have a route to 8.8.8.8 or 192.168.11.1 (check ip route and ip addr inside the CT).
Fixes
1. Give the NPM container outbound internet (recommended)
Ensure the NPM LXC has:
- DNS: Either use the host’s resolver or set
nameserver 8.8.8.8(or your LAN DNS) in the container’s/etc/resolv.conf. - Default route: The container must have a gateway and be allowed to reach the internet (no firewall blocking outbound from the container).
On the Proxmox host:
# From Proxmox host (e.g. SSH root@192.168.11.11)
# Replace 10233 with your NPM container VMID
pct exec 10233 -- cat /etc/resolv.conf
pct exec 10233 -- ping -c 2 8.8.8.8
pct exec 10233 -- ping -c 2 pypi.org
If pypi.org does not resolve or ping fails, fix DNS/network for that CT (e.g. Proxmox CT network settings, or edit /etc/resolv.conf inside the container). After the container can reach the internet, try requesting the certificate again in the NPM UI.
2. Install the plugin inside the NPM container (when it has network)
Once the container can reach the internet (e.g. from another machine or after fixing DNS), install the plugin so NPM doesn’t need to do it on first use:
From the Proxmox host (SSH to the node that runs the NPM container):
# Replace 10233 with your NPM container VMID (see .env or ensure-npmplus-vm-operational.sh)
pct exec 10233 -- /opt/certbot/bin/pip install --upgrade pip setuptools wheel
pct exec 10233 -- /opt/certbot/bin/pip install certbot certbot-dns-cloudflare
From your workstation (if you have SSH to Proxmox and .env with PROXMOX_HOST, NPMPLUS_VMID):
./scripts/install-certbot-dns-cloudflare-in-npm.sh
After this, request the DNS (Cloudflare) certificate again in the NPM UI. Your Credentials File Content (Cloudflare API token or email+api_key) is unchanged; the problem was only the missing plugin due to no PyPI access.
3. Use HTTP-01 instead of DNS (workaround)
If you cannot give the NPM container outbound access to PyPI:
- Use HTTP Challenge (HTTP-01) in NPM instead of DNS Challenge. That does not require
certbot-dns-cloudflare. - For HTTP-01 to work, port 80 on your public IP must reach NPM (or the host that serves the domain), and the domain must resolve to that IP. If you’re behind a router, ensure port 80 is forwarded to the NPM host.
Summary
| Problem | Cause | Fix |
|---|---|---|
| Internal Error + PyPI / certbot-dns-cloudflare errors | NPM container cannot reach PyPI (DNS or outbound) | Fix DNS/outbound for the NPM LXC; then retry or run the install script. |
| Plugin still missing after network fix | NPM installs plugin on first use; first use failed | Run pct exec <vmid> -- /opt/certbot/bin/pip install certbot certbot-dns-cloudflare (or use install-certbot-dns-cloudflare-in-npm.sh). |
| Prefer not to open outbound from container | — | Use HTTP-01 in NPM instead of DNS Challenge. |
Router blocks container IPs: use host as gateway (NAT)
If the Proxmox host can reach the internet but the NPM container (192.168.11.166 / .167) gets "Destination Host Unreachable" or 100% packet loss to 8.8.8.8, the router may be blocking those IPs. Use the Proxmox host as the container’s gateway and NAT so outbound traffic appears from the host’s IP.
On the Proxmox host (replace 10233 with your NPM VMID, 192.168.11.11 with the host’s IP on the same bridge):
-
Enable forwarding and NAT
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/99-ipforward.conf && sysctl -w net.ipv4.ip_forward=1iptables -t nat -A POSTROUTING -s 192.168.11.166/32 -j MASQUERADEiptables -t nat -A POSTROUTING -s 192.168.11.167/32 -j MASQUERADE
-
Use host as gateway via eth1
If the host has 192.168.11.166 as a secondary IP (e.g. keepalived), replies would be stolen by the host. Use eth1 (192.168.11.167) for the default route so replies go to the container:- In the container:
ip route del default; ip route add default via 192.168.11.11 dev eth1 - Persistent: set the CT so eth1 has the gateway and eth0 has none:
pct set 10233 --net0 name=eth0,bridge=vmbr0,...,ip=192.168.11.166/24,...(nogw=)
pct set 10233 --net1 name=eth1,bridge=vmbr0,...,ip=192.168.11.167/24,gw=192.168.11.11,...
- In the container:
-
Verify:
pct exec 10233 -- ping -c 2 8.8.8.8andpct exec 10233 -- ping -c 2 pypi.org -
Certbot plugin: If the container uses system certbot,
apt-get install -y python3-certbot-dns-cloudflareandcertbot pluginsshould showdns-cloudflare. If NPM uses a venv certbot, ensure the container has internet (step 3) and retry the certificate in the NPM UI.
See also
- Credentials:
scripts/certbot/print-cloudflare-credentials-from-env.sh– content for "Credentials File Content *" from.env. - NPM VMID / host:
docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md,scripts/ensure-npmplus-vm-operational.sh.