[GH-ISSUE #904] NPM fails to start using Pihole dns in docker #763

New issue

Closed

opened 2026-02-26 06:34:18 +03:00 by kerem · 6 comments

kerem commented 2026-02-26 06:34:18 +03:00

Owner

Copy link

Originally created by @pittbull on GitHub (Feb 18, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/904

Describe the bug
When starting docker app (2.7.2) using PiHole dns running in a separate container on the same host, the following is logged during startup:

app_1  | [2/18/2021] [2:03:37 PM] [Migrate  ] › ℹ  info      Current database version: 20201014143841
app_1  | [2/18/2021] [2:04:20 PM] [Global   ] › ✖  error     Command failed: pip3 install certbot-dns-cloudflare==1.8.0 cloudflare
app_1  | WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8898ae20>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/
app_1  | WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8898ad60>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/
app_1  | WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8896a490>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/
app_1  | WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8896a340>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/
app_1  | WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8896a4c0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/
app_1  | ERROR: Could not find a version that satisfies the requirement certbot-dns-cloudflare==1.8.0 (from versions: none)
app_1  | ERROR: No matching distribution found for certbot-dns-cloudflare==1.8.0

If I add the 'dns' option to my docker-compose file and point it to 8.8.8.8 NPM loads without issues.

I have tried setting the same option to the various docker and physical ips, but they yield the same error.

I have several other containers, servers and clients that successfully use the Pihole container as their dns.

Any advise on this strange issue?

Originally created by @pittbull on GitHub (Feb 18, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/904 **Describe the bug** When starting docker app (2.7.2) using PiHole dns running in a separate container on the same host, the following is logged during startup: ``` app_1 | [2/18/2021] [2:03:37 PM] [Migrate ] › ℹ info Current database version: 20201014143841 app_1 | [2/18/2021] [2:04:20 PM] [Global ] › ✖ error Command failed: pip3 install certbot-dns-cloudflare==1.8.0 cloudflare app_1 | WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8898ae20>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/ app_1 | WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8898ad60>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/ app_1 | WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8896a490>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/ app_1 | WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8896a340>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/ app_1 | WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f9c8896a4c0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/certbot-dns-cloudflare/ app_1 | ERROR: Could not find a version that satisfies the requirement certbot-dns-cloudflare==1.8.0 (from versions: none) app_1 | ERROR: No matching distribution found for certbot-dns-cloudflare==1.8.0 ``` If I add the 'dns' option to my docker-compose file and point it to 8.8.8.8 NPM loads without issues. I have tried setting the same option to the various docker and physical ips, but they yield the same error. I have several other containers, servers and clients that successfully use the Pihole container as their dns. Any advise on this strange issue?

kerem 2026-02-26 06:34:18 +03:00

• closed this issue
• added the
  stale
  bug
  labels

kerem commented 2026-02-26 06:34:19 +03:00

Author

Owner

Copy link

@Zerwin commented on GitHub (Mar 17, 2021):

Both PiHole and Nginx use the port 80 and 443, how did you work around that ? I don't think you can have the same ports in use for 2 containers on 1 host.

<!-- gh-comment-id:801068000 --> @Zerwin commented on GitHub (Mar 17, 2021): Both PiHole and Nginx use the port 80 and 443, how did you work around that ? I don't think you can have the same ports in use for 2 containers on 1 host.

kerem commented 2026-02-26 06:34:19 +03:00

Author

Owner

Copy link

@SteveGBuck commented on GitHub (Mar 17, 2021):

@Zerwin, I use "expose" rather than "ports" in my pihole container config. Then let NPM proxy to pihole using the docker network. The only thing Im unsure of is that this is not blocking SSL based adverts which I'm looking at right now.

Here's my docker-compose.yml for pihole (but NPM uses the same external "proxy" network).

version: "3.2"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - 53:53/tcp
      - 53:53/udp
    expose:
      - 67/udp
      - 80/tcp
      - 443/tcp
    environment:
      TZ: 'Europe/London'
      WEBPASSWORD: '***********'
    # Volumes store your data between container upgrades
    volumes:
      - etc-pihole:/etc/pihole/
      - etc-dnsmasq.d:/etc/dnsmasq.d/
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    #cap_add:
    #  - NET_ADMIN
    restart: unless-stopped

volumes:
  etc-pihole:
  etc-dnsmasq.d:
  
networks:
  default:
    external:
      name: proxy

<!-- gh-comment-id:801090168 --> @SteveGBuck commented on GitHub (Mar 17, 2021): @Zerwin, I use "expose" rather than "ports" in my pihole container config. Then let NPM proxy to pihole using the docker network. The only thing Im unsure of is that this is not blocking SSL based adverts which I'm looking at right now. Here's my docker-compose.yml for pihole (but NPM uses the same external "proxy" network). ``` version: "3.2" # More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/ services: pihole: container_name: pihole image: pihole/pihole:latest ports: - 53:53/tcp - 53:53/udp expose: - 67/udp - 80/tcp - 443/tcp environment: TZ: 'Europe/London' WEBPASSWORD: '***********' # Volumes store your data between container upgrades volumes: - etc-pihole:/etc/pihole/ - etc-dnsmasq.d:/etc/dnsmasq.d/ # Recommended but not required (DHCP needs NET_ADMIN) # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities #cap_add: # - NET_ADMIN restart: unless-stopped volumes: etc-pihole: etc-dnsmasq.d: networks: default: external: name: proxy ```

kerem commented 2026-02-26 06:34:19 +03:00

Author

Owner

Copy link

@Zerwin commented on GitHub (Mar 17, 2021):

From the PiHole docker hub site:

Port 443 is to provide a sinkhole for ads that use SSL. If only port 80 is used, then blocked HTTPS queries will fail to connect to port 443 and may cause long loading times. Rejecting 443 on your firewall can also serve this same purpose. Ubuntu firewall example: sudo ufw reject https

---

As you are only exposing port 443 it's never available to anything outside NPM and PiHole. You need to properly publish port 443 for this to work.

Overall I would suggest moving away from exposing ports and putting PiHole on a different VM/Server. You can still use docker there if you like. Exposing ports like you are now is probably also what is causing the original problem.

<!-- gh-comment-id:801101959 --> @Zerwin commented on GitHub (Mar 17, 2021): From the PiHole docker hub site: Port 443 is to provide a sinkhole for ads that use SSL. If only port 80 is used, then blocked HTTPS queries will fail to connect to port 443 and may cause long loading times. Rejecting 443 on your firewall can also serve this same purpose. Ubuntu firewall example: sudo ufw reject https ---------------------- As you are only exposing port 443 it's never available to anything outside NPM and PiHole. You need to properly publish port 443 for this to work. Overall I would suggest moving away from exposing ports and putting PiHole on a different VM/Server. You can still use docker there if you like. Exposing ports like you are now is probably also what is causing the original problem.

kerem commented 2026-02-26 06:34:19 +03:00

Author

Owner

Copy link

@SteveGBuck commented on GitHub (Mar 17, 2021):

@Zerwin I'm not the OP, but I have no issue starting up NPM and Pihole this way (i.e no port conflict) and at the moment Pihole looks like its working. But as you rightly point out Im not sure I've resolved the whole SSL sinkhole problem (I need to find a site that uses SSL adverts to test). I did also follow the instruction in the guides to set the default site in NPM to redirect to my pihole address - maybe this is addressing the SSL sinkhole problem?

<!-- gh-comment-id:801123445 --> @SteveGBuck commented on GitHub (Mar 17, 2021): @Zerwin I'm not the OP, but I have no issue starting up NPM and Pihole this way (i.e no port conflict) and at the moment Pihole looks like its working. But as you rightly point out Im not sure I've resolved the whole SSL sinkhole problem (I need to find a site that uses SSL adverts to test). I did also follow the instruction in the guides to set the default site in NPM to redirect to my pihole address - maybe this is addressing the SSL sinkhole problem?

kerem commented 2026-02-26 06:34:19 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 18, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2002735528 --> @github-actions[bot] commented on GitHub (Mar 18, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:34:19 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Apr 29, 2025):

Issue was closed due to inactivity.

<!-- gh-comment-id:2837247173 --> @github-actions[bot] commented on GitHub (Apr 29, 2025): Issue was closed due to inactivity.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#763

No description provided.