apt update is not working

[mister_x]

Hello, I'm new to Linux and I'm Russian. I have a problem with http://download.proxmox.com/debian/pve/.
For cleanliness, I left only pve-enterprise.sources and proxmox.sources with such content.
Ping works without any problems. This is my first installation of this system.
There is no proxy or VPN on the server, it is connected directly to the router, and the IP address is white.

pve-enterprise.sources:

Enabled: no
Types: deb
URIs: http://enterprise.proxmox.com/debian/pve
Suites: trixie
Components: pve-enterprise
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg

proxmox.sources:

Types: deb
URIs: http://download.proxmox.com/debian/pve
Suites: trixie
Components: pve-no-subscription
Enabled: true
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg

When using the `apt update` command, I get this error, and when I try to update everything through the server's web dashboard, I get the same error with code 100:

Ign:1 http://download.proxmox.com/debian/pve trixie InRelease
Err:2 http://download.proxmox.com/debian/pve trixie Release
  404  Not Found [IP: 195.166.180.231 80]
Error: The repository 'http://download.proxmox.com/debian/pve trixie Release' does not have a Release file.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

When using curl -v http://download.proxmox.com/debian/pve/dists/bookworm/Release:

* Host download.proxmox.com:80 was resolved.
* IPv6: 2a0b:7140:5:100::167
* IPv4: 45.84.67.184
*   Trying [2a0b:7140:5:100::167]:80...
* Immediate connect fail for 2a0b:7140:5:100::167: Network is unreachable
*   Trying 45.84.67.184:80...
* Connected to download.proxmox.com (45.84.67.184) port 80
* using HTTP/1.x
> GET /debian/pve/dists/bookworm/Release HTTP/1.1
> Host: download.proxmox.com
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Moved Temporarily
< Allow: GET,POST,HEAD
< MIME-Version: 1.0
< Server: NetEngine Server 1.0
< Pragma: No-Cache
< Location: http://195.166.180.231
<
* shutting down connection #0

I'm very tired and don't understand what to do, the official documentation doesn't help either.

 

[bbgeek17]

Hi @mister_x , welcome to the forum.

I presume you do not have subscription at the moment, in that case you should leave the PVE enterprise as disabled (as you have now) or remove it completely.

You said you do not have VPN. You may want to actually get one, you know why.

curl -v http://download.proxmox.com/debian/pve/dists/bookworm/Release:

< Server: NetEngine Server 1.0 < Pragma: No-Cache < Location: http://195.166.180.231

This IP does not belong to Proxmox GmbH .

IP Address: 195.166.180.231
Country: Russia
ISP: OJSC Rostelecom

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[fabian]

can confirm what @bbgeek17 wrote - it looks like something/someone is MITM-ing your connection!

 

[bbgeek17]

can confirm what @bbgeek17 wrote - it looks like something/someone is MITM-ing your connection!

We know who and why

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[fstrankowski]

First: Welcome to the Forum!

The previous answers are correct but i would like to add more information to it. Your internetprovider "ROSTELECOM" MITM your connection (is reading what you are visiting) and modifies the original endpoints answer (the one from the Proxmox repository) so that your server instead connects to the server with the address "http://195.166.180.231"

< Server: NetEngine Server 1.0
< Pragma: No-Cache
< Location: http://195.166.180.231

and

route:          195.166.180.0/22
origin:         AS8568
mnt-by:         ROSTELECOM-MNT

Edit: (see below for an easier way first)

Could you please try the following:

sudo find /etc/apt/sources.list.d/ -maxdepth 1 -type f -name '*.sources' \
-exec sed -i.bak 's/download\.proxmox\.com/185.219.221.167/g' {} +

And run the update again. This replaces the URL with an hardcoded IP endpoint for the PVE repository for testing purposes.
.bak files are automatically generated to get back to the original state.

For testing purposes, here are more IPv4 and IPv6 for the proxmox repository extracted out of their CDN via dig

• 185.219.221.167 (see http://185.219.221.167)
• 45.84.67.184 (see http://45.84.67.184) (your currently used one)
• 2a0e:9880:304::184 (see http://[2a0e:9880:304::184])
• 2a0b:7140:5:100::167 (see http://[2a0b:7140:5:100::167])

Easier way:

Here is a quick script (made with AI but manually tested and reviewed) to test which endpoints do work and which are supervised by your government.

Echoing either "MITM" if your government is spying or the content of the proxmox CDN directory.

#!/usr/bin/env bash
set -u

SCHEME="${SCHEME:-http}"
PATH_CHECK="${PATH_CHECK:-/}"
CONNECT_TIMEOUT="${CONNECT_TIMEOUT:-5}"
MAX_TIME="${MAX_TIME:-10}"

ENDPOINTS=(
  "185.219.221.167"
  "45.84.67.184"
  "2a0e:9880:304::184"
  "2a0b:7140:5:100::167"
)

for ep in "${ENDPOINTS[@]}"; do
  if [[ "$ep" == *:* ]]; then
    url="${SCHEME}://[${ep}]${PATH_CHECK}"
  else
    url="${SCHEME}://${ep}${PATH_CHECK}"
  fi

  echo "==> Testing: $url"

  response="$(curl -sS -i --noproxy '*' \
    --connect-timeout "$CONNECT_TIMEOUT" \
    --max-time "$MAX_TIME" \
    "$url" 2>&1)"
  rc=$?

  if [[ $rc -ne 0 ]]; then
    printf '%s\n\n' "$response"
    continue
  fi

  status_line="$(printf '%s\n' "$response" | grep -m1 '^HTTP/')"
  status_code="$(printf '%s\n' "$status_line" | awk '{print $2}')"

  if [[ "$status_code" == "302" ]]; then
    echo "MITM"
  else
    printf '%s\n' "$response"
  fi

  echo
done