3 Node cluster "permission denied - invalid PVE ticket (401)"

[ratuldutta]

I solved this by setting up the same NTP server on all servers.

Yes , I also solved this by setting up the same NTP server on all servers.. today one New server I added in my cluster was having different time and date.. later as I set it manually to current time it started working. Thanks a lot, it saved my lot of time.

 

[al.semenenko88]

Helllo i was haveing the same problem the way i fixed it is :
1. Deleting this files:
<node> is your node name

• /etc/pve/pve-root-ca.pem
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/nodes/<node>/pve-ssl.pem
• /etc/pve/nodes/<node>/pve-ssl.key
• /etc/pve/authkey.pub
• /etc/pve/priv/authkey.key
• /etc/pve/priv/authorized_keys

2. pvecm updatecerts -f
3 systemctl restart pvedaemon pveproxy

Hope it works for others too

Your answer helped me too, thanks. ProxMox, so why is this happening? We have a 6.4-6 cluster, the problem has not been resolved yet.

 

[nasatcom]

Helllo i was haveing the same problem the way i fixed it is :
1. Deleting this files:
<node> is your node name

• /etc/pve/pve-root-ca.pem
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/nodes/<node>/pve-ssl.pem
• /etc/pve/nodes/<node>/pve-ssl.key
• /etc/pve/authkey.pub
• /etc/pve/priv/authkey.key
• /etc/pve/priv/authorized_keys

2. pvecm updatecerts -f
3 systemctl restart pvedaemon pveproxy

Hope it works for others too

The only solution from many that I have tried, and actually worked! Many Thanks!!!

 

[sancho_sk]

So, I found my problem. For some reason, one of my nodes had wrong date, that resulted in constant 401 errors. Synchronizing the date and time, the problem went away.

 

[Haider Jarral]

This did it for me on the node that was giving error

systemctl restart systemd-timesyncd

 

[cris3095]

Helllo i was haveing the same problem the way i fixed it is :
1. Deleting this files:
<node> is your node name

• /etc/pve/pve-root-ca.pem
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/nodes/<node>/pve-ssl.pem
• /etc/pve/nodes/<node>/pve-ssl.key
• /etc/pve/authkey.pub
• /etc/pve/priv/authkey.key
• /etc/pve/priv/authorized_keys

2. pvecm updatecerts -f
3 systemctl restart pvedaemon pveproxy

Hope it works for others too

Thanks that finally solved my issue

 

[JayZee123]

Ditto on the old thread but when I had the same issues setting up proxmox for the first time in May 2023 this thread helped point me in the right direction.

When I got the error I found one of my nodes had the wrong time.

I rebooted it, set the time locally in the bios so I could get in to fix it permanently.

On the node that had the issue I opened the Shell

Ran timedatectl it returned "System Clock Synchronization = no"

I then edited
nano /etc/chrony/chrony.conf
and under the # pool comment
changed the server named to my local NTP server

# Use Debian vendor zone
# pool 2.debian.pool.ntp.org iburst
pool 192.168.1.1 iburst

Note my local NTP server is 192.168.1.1 yours may be differant if you have one, if not pick an online NTP server that works for you.

After saving the chrony.conf file I then ran
systemctl restart chronyd

Now when I run timedatectl
it returns System Clock Sync - yes
and I don't get the error anymore.

 

[duke999s]

I've tried all the above and thank you for the previous posters for helping to make progress. Removing the keys and doing the update certs didn't quite work for me as my system was a test homelab and probably fubarred at some stage

From another thread which I have now lost I got mine to work by amending /etc/pve/corosync.conf

#totem {
#  cluster_name: homelab
#  config_version: 15
#  interface {
#    linknumber: 0
#  }
#  ip_version: ipv4-6
#  secauth: on
#  version: 2
#}

totem {
  cluster_name: homelab
  config_version: 16
  interface {
      ringnumber: 0
      knet_transport: sctp
  }
  ip_version: ipv4-6
  secauth: on
  version: 2
  token: 10000
}

 

[johanl79]

So, I have gone from loving Proxmox (currently running 8.1) while it ran on a single host to hating it when trying to create a cluster and add a second host. Absolutely NOTHING I have tried to fix the 401 invalid PVE ticket error works. Yes, both servers have the same NTP server. Yes, both seem to have the exact same time. No, I can't edit corosync.conf because the file is read-only (after doing systemctl stop corosync). No, I can't delete those files mentioned in this post (pve-root-ca.pem etc.) , seems like the command just hangs (waited a few minutes). It's just for my homelab, both hosts connected to my Cisco switch (read something about unicast/multicast in another post).

Is there anyone with a step-by-step procedure to get rid of the 401 invalid PVE ticket error? Sometimes I get a connection refused 595 error too.

 

[spirit]

So, I have gone from loving Proxmox (currently running 8.1) while it ran on a single host to hating it when trying to create a cluster and add a second host. Absolutely NOTHING I have tried to fix the 401 invalid PVE ticket error works. Yes, both servers have the same NTP server. Yes, both seem to have the exact same time. No, I can't edit corosync.conf because the file is read-only (after doing systemctl stop corosync). No, I can't delete those files mentioned in this post (pve-root-ca.pem etc.) , seems like the command just hangs (waited a few minutes). It's just for my homelab, both hosts connected to my Cisco switch (read something about unicast/multicast in another post).

Is there anyone with a step-by-step procedure to get rid of the 401 invalid PVE ticket error? Sometimes I get a connection refused 595 error too.

First thing to check is to see in your cluster && corosync is working correctly.

with corosync service running on every node, what is the ouput of: "pvecm status" on each node ?

 

[johanl79]

I broke down the cluster so now I got two separate nodes again. So far, each time I created the cluster in the GUI and joined the other host that way too. I'm trying the commandline option now and have ran pvecm create proxmox-cluster which completed succesfully, pvecm status looks good. Then, still on the same host, I ran pvecm addnode server02 and the command just seems to run forever (has been running for almost 10 minutes now). The 2nd server is showing in the GUI though but when I click it, you can guess it: connection refused (595).

 

[johanl79]

This is what pvecm status shows:

Cluster information
-------------------
Name: proxmox-cluster
Config Version: 1
Transport: knet
Secure auth: on

Quorum information
------------------
Date: Sun Jan 21 15:26:18 2024
Quorum provider: corosync_votequorum
Nodes: 2
Node ID: 0x00000001
Ring ID: 1.c3
Quorate: Yes

Votequorum information
----------------------
Expected votes: 2
Highest expected: 2
Total votes: 2
Quorum: 2
Flags: Quorate

Membership information
----------------------
Nodeid Votes Name
0x00000001 1 192.168.0.199 (local)
0x00000002 1 192.168.0.200

Seems to be fine one would think, but no. Read in another post to try systemctl restart pveproxy pvestatd but that command also just seems to hang. In the same post they mention editing corosync.conf and add token: 10000. I would love to do that if I knew how I can actually save corosync.conf.

 

[MrMeeb]

Ran into the same issue here. One of my nodes renewed its certificate and from that point on, was giving the PVE ticket error. Both nodes in my little cluster are using internal SSL certificates issued by my internal CA (not self-signed like default). They both trust the root CA certificate. Trying anything on the affected node caused it to hang pretty badly, so I powered it off. Thankfully I had replication going so getting the VMs running on the other host was pretty simple.

I'm considering just wiping and rebuilding the affected node before rejoining it to the cluster, since powering it backup will create a mess with it trying to start VMs that are now running elsewhere, etc. My concern is understanding why this happened, since I'm not keen on it happening again. I guess it's something to do with the certificate renewal but that's not much to go off

 

[Matth3w]

Helllo i was haveing the same problem the way i fixed it is :
1. Deleting this files:
<node> is your node name

• /etc/pve/pve-root-ca.pem
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/nodes/<node>/pve-ssl.pem
• /etc/pve/nodes/<node>/pve-ssl.key
• /etc/pve/authkey.pub
• /etc/pve/priv/authkey.key
• /etc/pve/priv/authorized_keys

2. pvecm updatecerts -f
3 systemctl restart pvedaemon pveproxy

Hope it works for others too

My node is not in a cluster but I also encountered the "Connection error 401: permission denied - invalid PVE ticket" error after entering my password in the web gui. This resolved my issue. Just running steps 2 and 3 did not work, I had to also delete the files you listed. Thanks!

 

[Diyaa]

My node is not in a cluster but I also encountered the "Connection error 401: permission denied - invalid PVE ticket" error after entering my password in the web gui. This resolved my issue. Just running steps 2 and 3 did not work, I had to also delete the files you listed. Thanks!

I would check the time is up to date in the BIOS and in the Proxmox server settings. the Invalid PVE ticket error is usually due to certificate or time as far as I have seen.

 

[Matth3w]

I would check the time is up to date in the BIOS and in the Proxmox server settings. the Invalid PVE ticket error is usually due to certificate or time as far as I have seen.

I'll check the bios later today, but I did confirm that the server's time is correct and syncing with NTP. I'm having terrible stability problems that require me to do hard resets on the server multiple times a week. I'm wondering if one of those hard resets corrupted something.

 

[iliadz]

I am playing with clustering in my lab, and this happens every time I add a server to the cluster, without fail. However, in my case, simply ingoring the error and refreshing the browser it works fine, the server has been added. I've also went to another clustered servers web gui and notice it's been added while it's still giving the error on the offending system.


A few times it would follow up with "connection error" afterwards, and force me to relogin. Every time though, the server was added to the cluster. I've done about 7 so far in lab for various reasons.

Regardless, for me, ignoring the error works and no issues after the fact so some of the problems might simply be coincidental.