[8.3.4] VE Node Self Signed Certificate Problem

[Jason Paul]

I just upgraded to the latest version on my 3 node cluster, and was working on building some Packer scripts to build VM templates. I set up a Proxmox API key, but I couldn't get it to connect due to authentication failures:

$ packer build .
proxmox-iso.debian: output will be in this color.

Build 'proxmox-iso.debian' errored after 3 seconds 488 milliseconds: 401 authentication failure

==> Wait completed after 3 seconds 488 milliseconds

==> Some builds didn't complete successfully and had errors:
--> proxmox-iso.debian: 401 authentication failure

==> Builds finished but no artifacts were created.

Eventually, I started testing the API URL directly, and I started running into errors there too, on both the node directly, and the client:

root@pve1:~# curl -v -k -H 'Authorization: packer@pve\!packer=apikeyhere' https://pve1.linuxtek.lan:8006/api2/json/cluster/status
*   Trying 172.16.15.15:8006...
* Connected to pve1.linuxtek.lan (172.16.15.15) port 8006 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: OU=PVE Cluster Node; O=Proxmox Virtual Environment; CN=pve1.linuxtek.lan
*  start date: Jan  3 06:57:45 2025 GMT
*  expire date: Jan  3 06:57:45 2027 GMT
*  issuer: CN=Proxmox Virtual Environment; OU=idhere; O=PVE Cluster Manager CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
> GET /api2/json/cluster/status HTTP/1.1
> Host: pve1.linuxtek.lan:8006
> User-Agent: curl/7.88.1
> Accept: */*
> Authorization: packer@pve\!packer=apikeyhere
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 No ticket
< Cache-Control: max-age=0
< Connection: close
< Date: Thu, 13 Mar 2025 13:36:08 GMT
< Pragma: no-cache
< Server: pve-api-daemon/3.0
< Expires: Thu, 13 Mar 2025 13:36:08 GMT
<
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):

In the browser, it looks like it's not using SSL at all, as it says "Not Secure" and HTTPS is crossed out, although I can see the self-signed certificate if I click on the certificate viewer.

I tried testing the SSL connection directly:

root@pve1:~# openssl s_client -connect pve1.linuxtek.lan:8006
CONNECTED(00000003)
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
verify return:1
---
Certificate chain
 0 s:OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
   i:CN = Proxmox Virtual Environment, OU = 17ccd30e-1fc9-4d53-be4a-9866f5ad6bdf, O = PVE Cluster Manager CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  3 06:57:45 2025 GMT; NotAfter: Jan  3 06:57:45 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
issuer=CN = Proxmox Virtual Environment, OU = ouhere, O = PVE Cluster Manager CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1839 bytes and written 403 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 51CBDBB6108DFC1E3E93CA664701CCAD550C05813E9C6CBE5C91EEB9ED74AFA0
    Session-ID-ctx:
    Resumption PSK: AF6A965474E5D69D745BC738780BB4160EE3AF83F6EB6EC28DE01A7157E2740C4BE5A088A763E250B90D4CDAB8502EAF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d6 d9 aa 44 c1 1e 50 f0-1b a5 8c 63 67 5f c4 46   ...D..P....cg_.F
    0010 - f9 a0 e7 92 8d 23 18 e7-05 7e 49 9d 90 4f de 51   .....#...~I..O.Q
    0020 - ab 4e ca 8d ed 87 45 da-ef 61 75 27 99 c4 34 1c   .N....E..au'..4.
    0030 - 0e 2f 7e 55 3d fa fc f1-f3 26 48 33 93 e5 a1 5e   ./~U=....&H3...^
    0040 - 57 76 6a 74 5d 60 fd 62-5d 15 68 72 6c 45 5c 0e   Wvjt]`.b].hrlE\.
    0050 - 12 ce 64 62 0e db 1f c0-79 95 13 f9 e6 f9 06 1d   ..db....y.......
    0060 - c0 34 11 5d 2b 38 73 6c-97 6b ff c5 08 f8 74 74   .4.]+8sl.k....tt
    0070 - 8d 32 bf 8b d8 d7 7e 2b-60 8e b5 4c 6c f2 2d 47   .2....~+`..Ll.-G
    0080 - 90 2a 90 ef ab 2f 87 d0-06 db 00 71 77 2e bc a6   .*.../.....qw...
    0090 - 28 d2 21 56 e5 d1 9c aa-b5 1a 69 e7 70 c1 51 34   (.!V......i.p.Q4
    00a0 - 42 b1 0b 57 36 5c 2b 16-f2 fe 02 21 1c 95 80 cb   B..W6\+....!....
    00b0 - c2 6d 48 74 a4 d1 9b 98-26 d7 d4 26 8d ac 0e 99   .mHt....&..&....
    00c0 - 46 7d 25 44 df f7 cc 2b-e2 ae 5c c2 e1 a6 77 9c   F}%D...+..\...w.

    Start Time: 1741873200
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DB97D80F6B074EA52B7B66C37B8DC61366D06A4BAB983D8BB405D9E2FF26EBBD
    Session-ID-ctx:
    Resumption PSK: 192E198306D143E91CFA690ECDD52E9C91A8668C1A57B95719B0FE59CFAADDDFF6F2AC0DCC5CCB6E74A62CC0F7E8414E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d6 d9 aa 44 c1 1e 50 f0-1b a5 8c 63 67 5f c4 46   ...D..P....cg_.F
    0010 - de ed 79 60 c6 bf 7a e7-02 af 52 c6 1d 58 1d 26   ..y`..z...R..X.&
    0020 - bd bc ef 44 d4 3a de a9-4b a3 4f 9c 97 97 f8 34   ...D.:..K.O....4
    0030 - 44 98 78 c2 3e 74 dc 25-e1 8d b2 33 17 bc b0 f3   D.x.>t.%...3....
    0040 - 2a bf 19 ac 47 ab a0 db-cd e4 9b ff 17 a2 eb 88   *...G...........
    0050 - fa d1 64 5c e4 f3 14 fd-c8 57 60 a8 1f 82 ca 7e   ..d\.....W`....~
    0060 - 8c bc 64 2c 33 b2 97 08-11 f6 16 9a 09 5f e3 7f   ..d,3........_..
    0070 - 24 52 15 5a 2f 37 9e 86-0a 30 d5 83 bc f1 7a 44   $R.Z/7...0....zD
    0080 - 5f 74 fa cd 65 66 86 fa-97 87 3b 72 45 4c 9f d9   _t..ef....;rEL..
    0090 - 4e 66 e8 03 e1 cd f5 9b-ee c5 af f9 c7 92 52 c5   Nf............R.
    00a0 - df 85 74 f8 c1 74 ba 2c-c0 a1 31 ff 77 ef 4a 82   ..t..t.,..1.w.J.
    00b0 - 46 11 99 07 ff 38 fd b5-3d a3 97 11 37 c4 ee 44   F....8..=...7..D
    00c0 - 7a 52 0c a9 80 72 5e e7-32 f3 18 f9 98 22 d3 07   zR...r^.2...."..

    Start Time: 1741873200
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
806B989E107B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:322:

I get the above error "SSL routines:ssl3_read_n:unexpected eof while reading" on my workstation, as well as on the node itself when testing.

The Proxmox node has:

openssl/stable,now 3.0.15-1~deb12u1 amd64 [installed]

My workstation has:

openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.19 amd64 [installed]

I stated looking into that last error, and found a couple of GItHub Issues related to OpenSSL v3.
These are the GitHub issues I found:

https://github.com/openssl/openssl/discussions/24810
https://github.com/curl/curl/issues/7800

I tried setting the ignore option in /etc/ssl/openssl.cnf on the client and server, but it didn't help, even after restarting networking services.

[ssl_default_sect]
Options = IgnoreUnexpectedEOF

or 
SSL_OP_IGNORE_UNEXPECTED_EOF

I'm stumped on how to fix this.

Do I need to generate new self-signed certificates?
Is this a problem with the current version of OpenSSL on the server?

Thanks in advance for any advice!

 

[Jason Paul]

This is the error I get testing curl from my workstation - I get the same "unexpected eof while reading" error. This might be due to an older version of OpenSSL, but I can't seem to get a newer version via repository on Linux Mint 21.3

$ curl -v -k -H 'Authorization: packer@pve\!packer=apikeyhere https://192.168.2.15:8006/api2/json
*   Trying 192.168.2.15:8006...
* Connected to 192.168.2.15 (192.168.2.15) port 8006 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=PVE Cluster Node; O=Proxmox Virtual Environment; CN=pve1.linuxtek.lan
*  start date: Jan  3 06:57:45 2025 GMT
*  expire date: Jan  3 06:57:45 2027 GMT
*  issuer: CN=Proxmox Virtual Environment; OU=17ccd30e-1fc9-4d53-be4a-9866f5ad6bdf; O=PVE Cluster Manager CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /api2/json HTTP/1.1
> Host: 192.168.2.15:8006
> User-Agent: curl/7.81.0
> Accept: */*
> Authorization: packer@pve\!packer=d54d2f9a-c1ad-465c-a1c4-3295cd1cedc2
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 No ticket
< Cache-Control: max-age=0
< Connection: close
< Date: Thu, 13 Mar 2025 13:55:54 GMT
< Pragma: no-cache
< Server: pve-api-daemon/3.0
< Expires: Thu, 13 Mar 2025 13:55:54 GMT
< 
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

 

[Jason Paul]

I think the curl test is working on the node directly, as I don't see the EOF error. Not sure what to make of that other than maybe a problem with the older version of OpenSSL on my workstation.

 

[Jason Paul]

From a different workstation with OpenSSL:

$ curl -vv -k -d 'username=packer@pve!packer' --data-urlencode 'password=apikeyhere' https://pve1.linuxtek.lan:8006/api2/json/access/ticket
* Host pve1.linuxtek.lan:8006 was resolved.
* IPv6: (none)
* IPv4: 192.168.2.15
*   Trying 192.168.2.15:8006...
* Connected to pve1.linuxtek.lan (192.168.2.15) port 8006
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: OU=PVE Cluster Node; O=Proxmox Virtual Environment; CN=pve1.linuxtek.lan
*  start date: Jan  3 06:57:45 2025 GMT
*  expire date: Jan  3 06:57:45 2027 GMT
*  issuer: CN=Proxmox Virtual Environment; OU=ouhere; O=PVE Cluster Manager CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> POST /api2/json/access/ticket HTTP/1.1
> Host: pve1.linuxtek.lan:8006
> User-Agent: curl/8.7.1
> Accept: */*
> Content-Length: 72
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 72 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 authentication failure
< Cache-Control: max-age=0
< Connection: close
< Date: Thu, 13 Mar 2025 14:06:51 GMT
< Pragma: no-cache
< Server: pve-api-daemon/3.0
< Content-Length: 50
< Content-Type: application/json;charset=UTF-8
< Expires: Thu, 13 Mar 2025 14:06:51 GMT
<
* Closing connection
{"message":"authentication failure\n","data":null}

Here is an openssl s_client test:

$ openssl s_client pve1.linuxtek.lan:8006
CONNECTED(00000003)
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
verify return:1
---
Certificate chain
 0 s:OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
   i:CN = Proxmox Virtual Environment, OU = ouhere, O = PVE Cluster Manager CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  3 06:57:45 2025 GMT; NotAfter: Jan  3 06:57:45 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve1.linuxtek.lan
issuer=CN = Proxmox Virtual Environment, OU = 17ccd30e-1fc9-4d53-be4a-9866f5ad6bdf, O = PVE Cluster Manager CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1839 bytes and written 403 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4BAE151A87F31EC1225EBF351B7373C862CB827CBC5336296E9C9BF6A30E695D
    Session-ID-ctx: 
    Resumption PSK: B0B24B9EA63E9177FB7495E59C71C719AEF2EC495B997FEDB7F54D23C165BD1BF372D10D08C9A263CA3130D2C99ED852
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d6 d9 aa 44 c1 1e 50 f0-1b a5 8c 63 67 5f c4 46   ...D..P....cg_.F
    0010 - ad 76 e5 7a 6b a4 7a 18-2e 48 15 81 df af cc 10   .v.zk.z..H......
    0020 - 74 92 46 ac 24 24 8b e7-21 c1 24 85 b7 ec 46 64   t.F.$$..!.$...Fd
    0030 - 9d 0c 3b 1d 27 c5 5c 89-3f 89 83 1c d9 9d 1f 9d   ..;.'.\.?.......
    0040 - fd a6 ac 1c be 66 55 66-2f fa 16 8b 89 15 14 0c   .....fUf/.......
    0050 - f5 bb 6e b6 48 73 d3 4f-fc 18 b5 32 ec df 29 00   ..n.Hs.O...2..).
    0060 - ac 9a 34 1a bd 74 e9 cb-81 f2 2f 1f 39 9e 75 7b   ..4..t..../.9.u{
    0070 - 90 d4 ba 60 a9 6b 3b 18-64 12 40 e6 1c 87 79 93   ...`.k;.d.@...y.
    0080 - c1 91 a2 6d e0 c0 83 04-83 d4 f1 f0 26 19 ed 6c   ...m........&..l
    0090 - bb ef 55 0a f4 c6 30 8e-13 bb 9d a3 43 b6 c6 08   ..U...0.....C...
    00a0 - a0 83 b0 d9 62 d3 62 a7-bd bf d8 e4 d9 7d 48 37   ....b.b......}H7
    00b0 - 69 de 35 53 78 d4 af b9-64 eb 72 2f e7 85 7f 55   i.5Sx...d.r/...U
    00c0 - 5d ef 45 93 9b 4d 21 f4-6a 67 64 d1 30 0a f0 e7   ].E..M!.jgd.0...

    Start Time: 1741874918
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4B3C7CCF361451CD711554C42BE4E09D9D06D89A269F29B3870F1A1B8ED48D2E
    Session-ID-ctx: 
    Resumption PSK: 3165151291408F7FC74CE9778E30515CD029C9057D9B5E67698E4BDF1CDE703C51C12EEE180B4D73DA8F561935CCBD34
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d6 d9 aa 44 c1 1e 50 f0-1b a5 8c 63 67 5f c4 46   ...D..P....cg_.F
    0010 - 31 06 16 c4 1e aa be 79-8b 31 9f 8c 51 78 86 45   1......y.1..Qx.E
    0020 - 23 88 a2 91 53 6a d6 bb-11 97 44 ca f6 f0 e0 90   #...Sj....D.....
    0030 - 99 da e1 5c 77 e5 29 e3-ef 94 38 a0 94 f7 3e 1b   ...\w.)...8...>.
    0040 - d9 b9 01 7b 60 d2 a0 a5-d1 47 52 a0 cb a5 2b a9   ...{`....GR...+.
    0050 - 36 b3 1e e9 49 39 86 6e-88 d3 72 86 38 8d 81 e2   6...I9.n..r.8...
    0060 - 35 b3 0b bd 33 5f 7e 0d-5a 5f 6b 6f 64 f8 c9 11   5...3_~.Z_kod...
    0070 - ae d8 92 74 f7 f8 b8 01-f1 03 e5 79 a9 c8 53 37   ...t.......y..S7
    0080 - ee 08 e8 74 e3 ee e9 71-7a d3 1a a4 74 03 e1 f8   ...t...qz...t...
    0090 - cd 7c f8 78 0e 9b 40 fd-79 a8 62 50 28 9c 49 06   .|.x..@.y.bP(.I.
    00a0 - 2b f9 81 aa f5 f0 b0 fa-a0 86 9f 83 c9 90 eb 5e   +..............^
    00b0 - 24 09 c9 65 2c 7e dc 81-64 6d 85 4f 3d c1 10 04   $..e,~..dm.O=...
    00c0 - c8 fe 6b ec d4 d1 0a fc-ac d6 13 a7 eb 8d 4e 9c   ..k...........N.

    Start Time: 1741874918
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
40377C44AE7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:322:

 

[_--James--_]

So first off, you are using the default self signed certs. Unless your SSL client has the trusted signing key installed it will always be 'untrusted' (HTTPS crossed out in the browser for example).

Secondly You are getting " ALPN: server did not agree on a protocol. Uses default." in the curl tests. Typically this means SSL was down graded on the client side to a negotiated protocol but its not saying what was actually used.

Then you seem to reconnect back to TLS1.3.

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing

This could be a problem with Curl.

Lastly, On your Curl you did not pass your API key so you get the 401 no ticket error ending your SSL session. API calls require the key so this is most likely why this is not working regardless of the SSL cert being self-signed.

However, this is also why I largely suggest everyone to run through SSL setup and get in the habit of learning to manage your certs. Let's encrypt is trivial, running onprem openSSL signing is less trivial on setup but with certbot can be automated. Then on the client side you just have to make sure the signing chain is installed. Most things trust Let's Encrypt today, internal signing needs to be imported.

 

[Jason Paul]

Thanks for the reply.

Testing with curl, I'm using -k --insecure - so even if the root CA is not trusted, curl will ignore this verification check and proceed.

I am passing the API key, I just redacted it in my post.

I think I fixed the issue - combination of user/API permissions, and escape characters.
I still can't get openssl s_client to work, but I was able to get curl to return a value using the API token.

Will post an update once I have a chance to confirm the problem.

 

[Jason Paul]

I managed to get my API key working. I deleted and recreated using the following steps:
1. Created user "packer" with realm pam.
2. Created API Token "packer". So user is packer@pam, and I unchecked "Privilege Separation".
3. I went to Permissions and added packer@pam access to the / path, with Administrator role.

After this, I was able to test the API Token successfully using:

curl -k --request GET -H 'Authorization: PVEAPIToken=packer@pam!packer=apikey' https://ipaddress:8006/api2/json/access/permissions

I was able to get a full Packer script working to do a template build. The code is available here.

I still can't get the s_client command to work properly, but I will work on getting my own proper signed certificates with Let's Encrypt, and hopefully that solves the issue.