API token not working

[weeglos]

So I am trying to get the apparently problematic Zabbix plugin to work with Proxmox.

In doing so, I am trying to verify that the API on Proxmox will respond to a basic query, but getting errors whenever I try. What am I missing?

Here is what I'm doing:

user@linux-ubuntu:~$ curl --insecure -H "Authorization: PVEAPIToken=zabbix@pve\!zabbix=<<token id redacted>>" 'https://<<proxmox server redacted>>:8006/api2/json/'

And the error message:

curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

I have configured the zabbix user with key:

root@proxmox:~# pveum user list
┌────────────┬─────────┬─────────────────┬────────┬────────┬───────────┬────────┬────────┬──────────┬────────────┬──────────────────┬────────┬─────────────┐
│ userid     │ comment │ email           │ enable │ expire │ firstname │ groups │ keys   │ lastname │ realm-type │ tfa-locked-until │ tokens │ totp-locked │
╞════════════╪═════════╪═════════════════╪════════╪════════╪═══════════╪════════╪════════╪══════════╪════════════╪══════════════════╪════════╪═════════════╡
│ root@pam   │         │ <<redacted>>    │ 1      │      0 │           │        │        │          │ pam        │                  │        │             │
├────────────┼─────────┼─────────────────┼────────┼────────┼───────────┼────────┼────────┼──────────┼────────────┼──────────────────┼────────┼─────────────┤
│ zabbix@pam │         │                 │ 1      │      0 │           │        │ zabbix │          │ pam        │                  │        │             │
└────────────┴─────────┴─────────────────┴────────┴────────┴───────────┴────────┴────────┴──────────┴────────────┴──────────────────┴────────┴─────────────┘
root@proxmox:~# pveum user token list zabbix@pam
┌─────────┬─────────┬────────┬─────────┐
│ tokenid │ comment │ expire │ privsep │
╞═════════╪═════════╪════════╪═════════╡
│ zabbix  │         │      0 │ 0       │
└─────────┴─────────┴────────┴─────────┘

root@proxmox:~# pveum user token permissions zabbix@pam zabbix
┌──────────┬─────────────────┐
│ ACL path │ Permissions     │
╞══════════╪═════════════════╡
│ /        │ Datastore.Audit │
│          │ Mapping.Audit   │
│          │ Pool.Audit      │
│          │ SDN.Audit       │
│          │ Sys.Audit       │
│          │ VM.Audit        │
└──────────┴─────────────────┘
Permissions marked with '(*)' have the 'propagate' flag set.

 

[weeglos]

I noticed I was referencing a token 'zabbix@pve' but only had 'zabbix@pam' in my CURL. I fixed that but still have the same issue:

[root@zabbix ~]# curl --insecure -H "Authorization: PVEAPIToken=zabbix@pve\!zabbix=<<redacted>>" 'https://proxmox:8006/api2/json/'
    curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
    


    root@proxmox:/etc/pve/nodes/seinar/qemu-server# pveum user list
    ┌────────────┬─────────┬─────────────────┬────────┬────────┬───────────┬────────┬──────┬──────────┬────────────┬──────────────────┬────────┬─────────────┐
    │ userid     │ comment │ email           │ enable │ expire │ firstname │ groups │ keys │ lastname │ realm-type │ tfa-locked-until │ tokens │ totp-locked │
    ╞════════════╪═════════╪═════════════════╪════════╪════════╪═══════════╪════════╪══════╪══════════╪════════════╪══════════════════╪════════╪═════════════╡
    │ root@pam   │         │ <<redacted>>    │ 1      │      0 │           │        │      │          │ pam        │                  │        │             │
    ├────────────┼─────────┼─────────────────┼────────┼────────┼───────────┼────────┼──────┼──────────┼────────────┼──────────────────┼────────┼─────────────┤
    │ zabbix@pve │         │                 │ 1      │      0 │           │        │      │          │ pve        │                  │        │             │
    └────────────┴─────────┴─────────────────┴────────┴────────┴───────────┴────────┴──────┴──────────┴────────────┴──────────────────┴────────┴─────────────┘
    root@seinar:/etc/pve/nodes/seinar/qemu-server# pveum user token list zabbix@pve
    ┌─────────┬─────────┬────────┬─────────┐
    │ tokenid │ comment │ expire │ privsep │
    ╞═════════╪═════════╪════════╪═════════╡
    │ zabbix  │         │      0 │ 0       │
    └─────────┴─────────┴────────┴─────────┘


      root@proxmox:/etc/pve/nodes/seinar/qemu-server# pveum user token permissions zabbix@pve zabbix
    ┌────────────────┬─────────────────────┐
    │ ACL path       │ Permissions         │
    ╞════════════════╪═════════════════════╡
    │ /              │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /access        │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /access/groups │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /nodes         │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /pool          │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /sdn           │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /storage       │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    ├────────────────┼─────────────────────┤
    │ /vms           │ Datastore.Audit (*) │
    │                │ Mapping.Audit (*)   │
    │                │ Pool.Audit (*)      │
    │                │ SDN.Audit (*)       │
    │                │ Sys.Audit (*)       │
    │                │ VM.Audit (*)        │
    └────────────────┴─────────────────────┘
    Permissions marked with '(*)' have the 'propagate' flag set.

 

[Bingo600]

I just installed the Zabbix Proxmox monitoring , bu following this webpage.
https://geekistheway.com/2022/12/31/monitoring-proxmox-ve-using-zabbix-agent/

See the comments at bottom.
I replicated all the "Api token" permissions on the "Monitoring user too".
And i created an additional MACRO : {$PVE.URL.HOST} - Containing the ip (or hostname) pf my Proxmox PVE Host


I took a bit of "Picture inspiration from here" , but do NOT like the that that page using the root user for monitoring.
https://rdr-it.io/en/proxmox-supervision-with-zabbix/#


Before doing any of the above, i installed the zabbix agent2 (on the pve host) , as described on the page above.
Folliwing this one.
https://geekistheway.com/2022/12/31/configuring-zabbix-agents-on-linux-servers/

To get the correct zabbix "deb" package for your version go here (the deb just adds the correct zabbix repos)
https://www.zabbix.com/download


Edit:
Remember to download the correct template for your Zabbix version (I use Zabbix 6.0.xx) , See pict

/Bingo

 

[shmel]

I encountered a similar problem myself. It turned out that the cause of the error curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0 was an invalid token. This is confusing because, in the case of an invalid token, you would expect a 401 status code from the API or at least some text indicating that it’s unauthorized.