[SOLVED] Permission denied - invalid csrf token (401)

albans

Active Member
May 7, 2015
49
1
26
Hi,

I've followed the below article to add a COMODO certificate to Proxmox:
https://pve.proxmox.com/wiki/HTTPS_...4.x_and_newer)#CAs_other_than_Let.27s_Encrypt

So basically, I updated the 2 files related to my only node:
/etc/pve/nodes/<node>/pveproxy-ssl.pem
/etc/pve/nodes/<node>/pveproxy-ssl.key

I've then restarted pve-proxy:
systemctl restart pveproxy

Then it's great, when accessing PVE, I can see that my connection is using a valid certificate.
Nevertheless, when I want to start a KVM host (or create one), I receive the below error:
promxox 4.4 Connection error 401: Permission denied - invalid csrf token

What's wrong?
Shall I also touch the below files?
  • /etc/pve/pve-root-ca.pem
  • /etc/pve/priv/pve-root-ca.key
I've also tried to remove all files as described here
https://pve.proxmox.com/wiki/HTTPS_....x_and_newer)#Revert_to_default_configuration
But I keep running into the issue - for example when I try to connect via Spice...

Thanks for your help.
 
Last edited:
I found this post: https://forum.proxmox.com/threads/continuing-issues-with-pveproxy-and-pve-ssl-key.29886/

Then I tried the below (after following "Revert to default configuration" https://pve.proxmox.com/wiki/HTTPS_....x_and_newer)#Revert_to_default_configuration) :

These 4 match (note /etc/pve/local/ is an alias of /etc/pve/nodes/<node>/):
openssl x509 -in /etc/pve/local/pve-ssl.pem -noout -modulus
openssl rsa -in /etc/pve/local/pve-ssl.key -noout -modulus
openssl x509 -in /etc/pve/nodes/<node>/pve-ssl.pem -noout -modulus
openssl rsa -in /etc/pve/nodes/<node>/pve-ssl.key -noout -modulus

These 2 DO NOT match (neither with the other 4 files, neither between each other):
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -modulus
openssl rsa -in /etc/pve/pve-www.key -noout -modulus

Is the problem related to /etc/pve/ files? Shall they be replaced?

Looking forward to hearing from anyone on this pretty dramatic issue - as I only did follow the guideline provided by Proxmox, and even with the "Revert to default configuration" I can't get it working.
 
Last edited:
the CSRF token has nothing to do with the certificate and key used for TLS. either you modified the wrong files, or you have some outdated tokens cached on the client side.
 
Hi Fabian,

Thx for the feedback - it's definitely not an issue on the client side as it doesn't work as well from other browsers and computers, via VPN or not.
Then could you point out which wrong files could have been modified that would bring this error?

As explained, these are the modified files:
/etc/pve/nodes/<node>/pveproxy-ssl.pem
/etc/pve/nodes/<node>/pveproxy-ssl.key

And the I've used
pvecm updatecerts -f

Even if I understand that this error is not related to the TLS keys, I wonder why it has appeared after changing these specific files - and moreover, it would be good to know from what this error can come.

Moreover, I've seen this post:
https://forum.proxmox.com/threads/permission-denied-invalid-csrf-token-401.9233/
And here the problem is related to /etc/pve/pve-www.key ...
So if there's only one node - to which other file the md5sum should be equivalent?

Looking forward to getting your feedback.
 
the pve-www.key is used to generate the token, but has no relation to pveproxy-ssl.pem/.key or pve-ssl.pem/.key. "pvecem updatecerts" does not touch the pve-www.key file (it will regenerate it if it was deleted though). if the CSRF token is rejected, it was either generated with a different key than the server currently has, or it is too old.

I suggest restarting pvedaemon and pveproxy on the server side, and clearing the cache and logging out and in again on the client side.
 
I know this is an old thread, but i want to give the full solution for this, so people dont need to search at all places for the pieces given in several threads.

Delete or move the following files:
/etc/pve/pve-root-ca.pem
/etc/pve/priv/pve-root-ca.key
/etc/pve/nodes/<node>/pve-ssl.pem
/etc/pve/nodes/<node>/pve-ssl.key

Then do 'pvecm updatecerts -f' and after that 'systemctl restart pvedaemon'. The error should be gone now after clearing cache of the browser.
 
I know this is an old thread, but i want to give the full solution for this, so people dont need to search at all places for the pieces given in several threads.

Delete or move the following files:
/etc/pve/pve-root-ca.pem
/etc/pve/priv/pve-root-ca.key
/etc/pve/nodes/<node>/pve-ssl.pem
/etc/pve/nodes/<node>/pve-ssl.key

Then do 'pvecm updatecerts -f' and after that 'systemctl restart pvedaemon'. The error should be gone now after clearing cache of the browser.
Not work for me...... error still exists
I am using proxmox 5.2

using cert from lat's encrypt to replace all 4 files.
Works fine except SPICE. cert error on SPICE client.

I want to restore default cert, so I removed these 4 files. Error occured.

i.imgur.com/SpCnpmt.png
i.imgur.com/UmFRhJJ.png
 
i.imgur.com/SpCnpmt.png
i.imgur.com/UmFRhJJ.png

please post log files or error message as text directly into the forum. MUCH better than third party services showing text as pictures ...
 
I want to restore default cert, so I removed these 4 files. Error occured.

Did you clear the cache of your browser after doing this?
 
Did you clear the cache of your browser after doing this?

I use incognito mode to check it. But I found the problem is not the browser.

This problem solved after I reboot the server.

It seems "systemctl restsrt pveproxy" is not enougth.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!