API ticket 401 authentication failure

pver

New Member
Mar 20, 2022
1
0
1
42
Virtual Environment 7.1-7

I use curl to access the PVE API, yesterday I could get a ticket normally, but today I can only get a null every time I access it, the command I use is:
(There is no error in the password)

export TYPE_FORM="Content-Type:application/x-www-form-urlencoded"
export PVEIP=192.168.1.100
export PVEPASSWORD=somepassword
curl -v -k -s -X POST -H TYPE_FORM -d 'username=root@pam' --data-urlencode 'password=$PVEPASSWORD' https://$PVEIP:8006/api2/json/access/ticket | python -m json.tool

output:

* Trying 192.168.1.100...
* TCP_NODELAY set
* Connected to 192.168.1.100 (192.168.1.100) port 8006 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [205 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1206 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=PVE Cluster Node; O=Proxmox Virtual Environment; CN=pve.lan
* start date: Mar 3 14:08:59 2022 GMT
* expire date: Mar 2 14:08:59 2024 GMT
* issuer: CN=Proxmox Virtual Environment; OU=1ffacf41-2ee5-4212-996e-acdde04f1605; O=PVE Cluster Manager CA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /api2/json/access/ticket HTTP/1.1
> Host: 192.168.1.100:8006
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 41
> Content-Type: application/x-www-form-urlencoded
>
} [41 bytes data]
* upload completely sent off: 41 out of 41 bytes
< HTTP/1.1 401 authentication failure
< Cache-Control: max-age=0
< Connection: close
< Date: Sun, 20 Mar 2022 01:17:01 GMT
< Pragma: no-cache
< Server: pve-api-daemon/3.0
< Content-Length: 13
< Content-Type: application/json;charset=UTF-8
< Expires: Sun, 20 Mar 2022 01:17:01 GMT
<
{ [13 bytes data]
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
{
"data": null
}
 
anything visible in the server logs? can you log in using the same user/password using a browser?
 
@pver Is there a chance that you set some type of second factor authentication on the root login? If so, the ticket API endpoint returns a 401 and there will also be a log entry in syslog with this in it:

Code:
old login api disabled, user has incompatible TFA entries

I don't know if this is what is supposed to happen, but this is what does happen when root has WebAuthn and Recovery Codes set.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!