Cannot access the web-gui after some time

[pesvoja]

Dear Proxmox forum, if possible, I would like to kindly ask you for a help.
I have installed Proxmox VE (version 8) few months ago and I am operating Windows VMs successfully so far.
However, when I tried access the webgui today, I got the "Secure Connection Failed" error while I am still able to access a Windows VM via RDP.

This is the curl output:

curl.exe -Lkvv https://192.168.2.11:8006/
Note: Using embedded CA bundle (231212 bytes)
Note: Using embedded CA bundle, for proxies (231212 bytes)
11:20:32.311000 [0-0] * [HTTPS-CONNECT] created with 1 ALPNs -> 0
11:20:32.311000 [0-0] * [HTTPS-CONNECT] added
11:20:32.327000 [0-0] * [HTTPS-CONNECT] connect, init
11:20:32.327000 [0-0] *   Trying 192.168.2.11:8006...
11:20:32.327000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
11:20:32.342000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
11:20:32.358000 [0-0] * ALPN: curl offers h2,http/1.1
11:20:32.358000 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
11:20:32.358000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
11:20:32.374000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
11:20:32.389000 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
11:20:32.389000 [0-0] * TLSv1.3 (IN), TLS handshake, Unknown (8):
11:20:32.405000 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
11:20:32.405000 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
11:20:32.422000 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
11:20:32.430000 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
11:20:32.439000 [0-0] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
11:20:32.445000 [0-0] * ALPN: server did not agree on a protocol. Uses default.
11:20:32.453000 [0-0] * Server certificate:
11:20:32.453000 [0-0] *  subject: OU=PVE Cluster Node; O=Proxmox Virtual Environment; CN=pve.patlm.local
11:20:32.464000 [0-0] *  start date: Sep 26 17:34:07 2024 GMT
11:20:32.473000 [0-0] *  expire date: Sep 26 17:34:07 2026 GMT
11:20:32.479000 [0-0] *  issuer: CN=Proxmox Virtual Environment; OU=4b8b08f1-abdd-4325-bff9-9957b03ef766; O=PVE Cluster Manager CA
11:20:32.488000 [0-0] *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
11:20:32.498000 [0-0] *   Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
11:20:32.504000 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 171ms, 1st data: 62ms
11:20:32.509000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
11:20:32.514000 [0-0] * Connected to 192.168.2.11 (192.168.2.11) port 8006
11:20:32.543000 [0-0] * using HTTP/1.x
11:20:32.550000 [0-0] > GET / HTTP/1.1
11:20:32.550000 [0-0] > Host: 192.168.2.11:8006
11:20:32.550000 [0-0] > User-Agent: curl/8.12.0
11:20:32.550000 [0-0] > Accept: */*
11:20:32.550000 [0-0] >
11:20:32.569000 [0-0] * Request completely sent off
11:20:37.569000 [0-0] * Empty reply from server
11:20:37.579000 [0-0] * shutting down connection #0
11:20:37.581000 [0-0] * [HTTPS-CONNECT] shut down successfully
11:20:37.584000 [0-0] * [SETUP] shut down successfully
11:20:37.584000 [0-0] * TLSv1.3 (OUT), TLS alert, close notify (256):
11:20:37.596000 [0-0] * [HTTPS-CONNECT] close
11:20:37.596000 [0-0] * [SETUP] close
11:20:37.601000 [0-0] * [SETUP] destroy
11:20:37.601000 [0-0] * [HTTPS-CONNECT] destroy
curl: (52) Empty reply from server

Would you give me any suggestions please?

Thank you, Petr

 

[wbk]

Hi Petr,

Welcome to the forums!

when I tried access the webgui today, I got the "Secure Connection Failed" error

The output shows that PVE presents a self-signed certificate. Did you get a Letsencrypt certificate earlier? Perhaps the renewal failed.

Do you connect in your browser by hostname/FQDN, or by IP as shown in your cURL output?

Using IP should give you the option to continue anyway or to add a security exception which some browsers don't allow when using the host/domain name.

Good luck!

 

[pesvoja]

Hi Petr,

Welcome to the forums!

The output shows that PVE presents a self-signed certificate. Did you get a Letsencrypt certificate earlier? Perhaps the renewal failed.

Do you connect in your browser by hostname/FQDN, or by IP as shown in your cURL output?

Using IP should give you the option to continue anyway or to add a security exception which some browsers don't allow when using the host/domain name.

Good luck!

Hi there,
thank you for posting the reply!

I should probably explain also some background: the PVE node is more or less fresh installation of PVE. I just installed the PVE and uploaded VMs from older node few months ago (start date: Sep 26 17:34:07 2024 GMT from cURL output is probably correct). The PVE is used just for backup of VMs when some complex tasks are done in the VMs. I wanted to backup the VMs today using the GUI, otherwise I would not notice any issue, instability or restarts of VMs for example.

To answer the questions:
- I did not touch certificates in any way
- I use https://192.168.2.11:8006/ for connection
- I add security exception when connection via browser

Thank you,
Petr

 

[wbk]

- I did not touch certificates in any way
- I use https://192.168.2.11:8006/ for connection
- I add security exception when connection via browser

Things you could try:

• Remove the security exception from your browser, so it can allow you to add the exception. Perhaps something got 'stuck'
• Try another browser (a Chromium based one if you usually use Firefox, or the other way around; they deal with those exceptions in a bit different ways)

I would set up a Letsencrypt subscription myself, if only to stop being pestered by my browsers (with DNS-01 you may verify private addresses that have no connection to the 'Net)

 

[pesvoja]

The thing is, I did this procedure so many times - just opened browser, used https://IP_address:8006/, set the exception, used credentials and performed the backup task.
Yes, I tried different browsers....
What has changed?

Thanks,
Petr

 

[gfngfn256]

Yes, I tried different browsers....

Different client-PC on same NW?

 

[pesvoja]

I will ask people there to leave me some PC switched on tomorrow and let you know.
If it does not help, I will visit the location probably during this weekend.
Thank you for your support!
Petr

 

[pesvoja]

Nope, unfortunately it did not help - different client (Windows, but different antivirus solution), the same subnet as the PVE, there is just a switch between them.
Any other idea please? I just do not want ask people there to restart the server and see what will be the outcome.
Thanks, Petr

 

[pesvoja]

So I have also tried Linux-based client with different browsers (Firefox and Chromium), with no luck:-(
Any idea for next steps please?
Thanks,
Petr

 

[pesvoja]

When I try SSH, I got Connection reset by....

 

[BobhWasatch]

This is sounding a lot like a duplicate IP somewhere on your network. If that is the case you can get connection reset by peer because you're not connecting to what you think you are.

 

[pesvoja]

So the problem is solved.
It was not a duplicate IP, I did not expect this would be the case, because I have quite strong control over what is connected to the network.
Unfortunately, I could not identify the root cause of the problem because I am not a big expert in Linux, the services were running, I could ping the IP and see standard Proxmox ports opened after the IP scan. Therefore, the only option for me was restart and this fixed the problem.
To be very honest, I hate solutions like this but this was only the option for me as I need backups of VMs to prevent loss of the changes made in the VMs.
Anyway, thank you for your support and your time. Petr

 

[pesvoja]

Sorry, I just cannot live with the "reboot" solution.
I am trying to figure out what happened. I found this in the "System Log" of the node:

Feb 04 16:17:01 pve CRON[414904]: pam_unix(cron:session): session closed for user root
-- Reboot --
Feb 27 09:03:50 pve kernel: Linux version 6.8.12-2-pve (build@proxmox) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-2 (2024-09-05T10:03Z) ()
Feb 27 09:03:50 pve kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.8.12-2-pve root=/dev/mapper/pve-root ro quiet

Why there is no log between Feb 04 and Feb 27? I started this thread when I realized that the web gui is not available during Feb 09, but all the VMs where running all the time.
Any idea what is going on?

Thanks, Petr

 

[griddy]

Hi Petr,
I am sitting with the exact same situation. I have tried a restart, but it has not helped. Do you happen to have any advice for me?

Any advice is much appreciated!

Thank you
Griddy

 

[pesvoja]

Hi Griddy,

yes, it helped me at that time.
I did want to test whether this is persisting issue and therefore, I did not perform any update nor configuration change and yes, the web GUI is not accessible again. Therefore, it is some bug... Unfortunately, I am not skilled enough to discover root cause of this.

How did you perform the reboot?

Petr

 

[griddy]

Hi Petr,

I switched it off at the wall. I will be trying a few things in the coming days as I cannot have this server offline at any point. I will let you know if I find a solution.

Thank you!
Griddy

 

[gfngfn256]

I switched it off at the wall.

Maybe you should have connected a physical display & keyb to the server to shutdown the node. Also you could then try to debug the issue directly on the node.