[SOLVED] Cannot update fresh pve from pve-no-subscription repo

[SArkhipov]

Problem

Cannot get apt-update for pve-no-subscription

Reproduce
- Follow steps by https://proxmox.com/en/products/proxmox-virtual-environment/get-started
- Set repo according [Host System Administration](https://pve.proxmox.com/pve-docs/chapter-sysadmin.html)

Errors

root@pve:~# apt-get update

Ign:4 https://download.proxmox.com/debian/pve bookworm InRelease

Hit:2 https://security.debian.org/debian-security bookworm-security InRelease

Hit:1 https://deb.debian.org/debian bookworm InRelease

Hit:3 https://deb.debian.org/debian bookworm-updates InRelease

Ign:4 https://download.proxmox.com/debian/pve bookworm InRelease

Ign:4 https://download.proxmox.com/debian/pve bookworm InRelease

Err:4 https://download.proxmox.com/debian/pve bookworm InRelease

  Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected.  Could not handshake: Error in the certificate verification. [IP: 212.224.123.70 443]

Reading package lists... Done

W: Failed to fetch http://download.proxmox.com/debian/pve/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected.  Could not handshake: Error in the certificate verification. [IP: 212.224.123.70 443]

W: Some index files failed to download. They have been ignored, or old ones used instead.

Additonal info

- use [post-install scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=post-pve-install) - does not help
- use curl give output

root@pve:~# curl -vvv http://download.proxmox.com

*   Trying 185.219.221.167:80...

* Connected to download.proxmox.com (185.219.221.167) port 80 (#0)

> GET / HTTP/1.1

> Host: download.proxmox.com

> User-Agent: curl/7.88.1

> Accept: */*

>

< HTTP/1.1 308 Permanent Redirect

< Connection: close

< Location: https://download.proxmox.com/

< Server: Caddy

< Date: Wed, 12 Mar 2025 12:16:54 GMT

< Content-Length: 0

<

* Closing connection 0

- curl with follow redirect give

curl -vvv -L http://download.proxmox.com

*   Trying 212.224.123.70:80...

* Connected to download.proxmox.com (212.224.123.70) port 80 (#0)

> GET / HTTP/1.1

> Host: download.proxmox.com

> User-Agent: curl/7.88.1

> Accept: */*

>

< HTTP/1.1 308 Permanent Redirect

< Connection: close

< Location: https://download.proxmox.com/

< Server: Caddy

< Date: Wed, 12 Mar 2025 12:18:00 GMT

< Content-Length: 0

<

* Closing connection 0

* Clear auth, redirects to port from 80 to 443

* Issue another request to this URL: 'https://download.proxmox.com/'

*   Trying 212.224.123.70:443...

* Connected to download.proxmox.com (212.224.123.70) port 443 (#1)

* ALPN: offers h2,http/1.1

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

* TLSv1.3 (IN), TLS handshake, Certificate (11):

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

* TLSv1.3 (IN), TLS handshake, Finished (20):

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.3 (OUT), TLS handshake, Finished (20):

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

* ALPN: server accepted http/1.1

* Server certificate:

*  subject: CN=enterprise.proxmox.com

*  start date: Feb 14 05:01:35 2025 GMT

*  expire date: May 15 05:01:34 2025 GMT

*  subjectAltName does not match download.proxmox.com

* SSL: no alternative certificate subject name matches target host name 'download.proxmox.com'

* Closing connection 1

* TLSv1.3 (OUT), TLS alert, close notify (256):

curl: (60) SSL: no alternative certificate subject name matches target host name 'download.proxmox.com'

More details here: https://curl.se/docs/sslcerts.html


curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

- Check certificate show that there not exists name download.proxmox.com inside Subject Alt Names

 

[cheiss]

Hi,

Err:4 https://download.proxmox.com/debian/pve bookworm InRelease

You need to use http, not https here. apt repositories are already signed via GPG, so HTTPS does not add much here. Thats why we only serve them via HTTP, as that also can reduce load. (There are threads already about this topic here in the forum, if you want to search for them.)

See Proxmox VE No-Subscription Repository, it's not a mistake that only HTTP is used there.

use [post-install scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=post-pve-install) - does not help

Also please note that running random scripts of the internet, without exactly knowing what they do, might damage your system and/or put you into unsupported configurations.

 

[SArkhipov]

Hi,


You need to use http, not https here. apt repositories are already signed via GPG, so HTTPS does not add much here. Thats why we only serve them via HTTP, as that also can reduce load. (There are threads already about this topic here in the forum, if you want to search for them.)

See Proxmox VE No-Subscription Repository, it's not a mistake that only HTTP is used there.


Also please note that running random scripts of the internet, without exactly knowing what they do, might damage your system and/or put you into unsupported configurations.

I paid attention that users without subscription should use http in source.lists for apt.
Have done that according manual.
You can look at additional info in my post and see, that INITIAL request - is http.
The problem arise after this http request come to download.proxmox.com and this server REDIRECT permanently (308) to https.

 curl -vvv http://download.proxmox.com
*   Trying 185.219.221.167:80...
* Connected to download.proxmox.com (185.219.221.167) port 80 (#0)
> GET / HTTP/1.1
> Host: download.proxmox.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://download.proxmox.com/
< Server: Caddy
< Date: Wed, 12 Mar 2025 13:06:49 GMT
< Content-Length: 0

 

[cheiss]

< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://download.proxmox.com/
< Server: Caddy

Do you use a proxy or a MITMing firewall?
Our servers run neither Caddy nor do they redirect to HTTPS.
(Seems I overlooked that in your first post.)

A success, direct request should look like this:

$ curl -v http://download.proxmox.com
* Host download.proxmox.com:80 was resolved.
* IPv4: 185.219.221.167
*   Trying 185.219.221.167:80...
* Connected to download.proxmox.com (185.219.221.167) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: download.proxmox.com
> User-Agent: curl/8.12.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 12 Mar 2025 13:15:54 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive

 

[SArkhipov]

Do you use a proxy or a MITMing firewall?
Our servers run neither Caddy nor do they redirect to HTTPS.

Thank you very much @cheiss !
I don't use a proxy, but my ISP does, helping to load common resources faster.
Help is not always equally useful for everyone

With your hint, the problem is solved.