[SOLVED] Checking the subscription behind a proxy fails.

[kortex_fr]

Hello.
After configuring our Proxmox Backup Server and activating the subscription, it was put into production. Access to the internet is behind via a proxy (which we do not administer). Since then, the subscription status is "Invalid: subscription information to old".

A check shows "Error checking subscription: error trying to connect proxy connect failed - invalid status: HTTP/1.1 407 Proxy Authentication Required".

The HTTP proxy option is well configured and the updates work correctly.

We also have 5 Proxmox VE's subscription verification working properly. We only encounter this problem with PBS.

Is the URL used for subscription verification the same as for Proxmox VE? If different, what is it? I can thus have it added to the authorized urls of the proxy.


Cordially

 

[mira]

It should be shop.proxmox.com:443, same as PVE.
Do you use the same proxy for PBS and PVE?

 

[kortex_fr]

Yes, it is the same proxy configuration.
I don't remember having had shop.proxmox.com added to the authorized sites.

But if it's the same as for PVE, it should work with PBS.

 

[kortex_fr]

I just checked the access via a wget https://shop.proxmox.com and I retrieve the index.html page fine.
So the URL is indeed accessible via the proxy.
Is it this url that is used for verification of the subscription?

 

[mira]

Yes, it's a more specific path, but it should be fine as long as you allow the whole shop.proxmox.com on port 443.

 

[kortex_fr]

Is it the same way to verify the subscription as for Proxmox VE?
How to debug and solve this problem

 

[mira]

You're running the latest PBS version?
Please provide the output of proxmox-backup-manager versions --verbose 1

If possible, provide the output of the following commands:

openssl s_client -showcerts -connect shop.proxmox.com:443
openssl s_client -showcerts -no_middlebox shop.proxmox.com:443
curl -vvI https://shop.proxmox.com

 

[kortex_fr]

# proxmox-backup-manager versions --verbose 1
proxmox-backup             2.2-1        running kernel: 5.15.35-2-pve
proxmox-backup-server      2.2.3-2      running version: 2.2.3      
pve-kernel-5.15            7.2-4                                    
pve-kernel-helper          7.2-4                                    
pve-kernel-5.13            7.1-9                                    
pve-kernel-5.15.35-2-pve   5.15.35-5                                
pve-kernel-5.13.19-6-pve   5.13.19-15                              
pve-kernel-5.13.19-1-pve   5.13.19-3                                
ifupdown2                  3.1.0-1+pmx3                            
libjs-extjs                7.0.0-1                                  
proxmox-backup-docs        2.2.3-1                                  
proxmox-backup-client      2.2.3-1                                  
proxmox-mini-journalreader 1.2-1                                    
proxmox-widget-toolkit     3.5.1                                    
pve-xtermjs                4.16.0-1                                
smartmontools              7.2-pve3                                
zfsutils-linux             2.1.4-pve1

# curl -vvI https://shop.proxmox.com
* Could not resolve host: shop.proxmox.com
* Closing connection 0
curl: (6) Could not resolve host: shop.proxmox.com

# curl -x http://user:password@ip:port -vvI https://shop.proxmox.com
*   Trying 10.253.35.2:3128...
* Connected to 10.253.35.2 (10.253.35.2) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to shop.proxmox.com:443
* Proxy auth using Basic with user 'xxxxxxxxx'
> CONNECT shop.proxmox.com:443 HTTP/1.1
> Host: shop.proxmox.com:443
> Proxy-Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<

* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=shop.proxmox.com
*  start date: May 25 21:00:07 2022 GMT
*  expire date: Aug 23 21:00:06 2022 GMT
*  subjectAltName: host "shop.proxmox.com" matched cert's "shop.proxmox.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: shop.proxmox.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Wed, 13 Jul 2022 13:56:32 GMT
Date: Wed, 13 Jul 2022 13:56:32 GMT
< Server: Apache
Server: Apache
< Set-Cookie: WHMCSvVl9CFfEzwuY=cpoukh2n30dgcb2n5kk1pqpfti; path=/; secure; HttpOnly
Set-Cookie: WHMCSvVl9CFfEzwuY=cpoukh2n30dgcb2n5kk1pqpfti; path=/; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8

<
* Connection #0 to host 10.253.35.2 left intact

# openssl s_client -showcerts -connect shop.proxmox.com:443
139947698857280:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:730:Name or service not known
connect:errno=22

# openssl s_client -showcerts -no_middlebox shop.proxmox.com:443
140282554955072:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:730:Name or service not known
connect:errno=22

I can't use -proxy with openssl because it doesn't handle authentication (only openssl 3).

 

[mira]

Based on the output, I'd say one issue is that there's no name resolution working.
For some reason it does when using the proxy. But try getting name resolution working without it first.

 

[kortex_fr]

The curl command to an internet domain only works by pointing to the proxy, which seems perfectly normal to me.
Name resolution works fine on our internal network. Access to the internet is only via a proxy.

I did the same tests on one of our Proxmox VE and the results are the same. Curl, without specifying the proxy, also says "Could not resolve host: shop.proxmox.com". However the verification of the subscription works well.

It would therefore seem that the method for verifying the subscription is different under PBS.

How does this verification work?

 

[mira]

@fabian hinted at this maybe being an issue with the way the proxy support is implemented in PBS.
I'm currently trying to reproduce this locally with proxy authentication.

 

[kortex_fr]

Have you made any progress on this issue ? We can no longer update our PBS server.
There isn't much reaction from other PBS users. Am I the only one having this proxy problem with authentication?

 

[mira]

Do you get an error when running proxmox-backup-manager subscription update on the command line?

 

[kortex_fr]

#proxmox-backup-manager subscription update
Error : Error checking subscription: error trying to connect: proxy connect failed - invalid status: HTTP/1.1 407 Proxy Authentication Required

There seems to be a problem with authentication with the proxy.
Is OpenSSL used? If this is the case, apparently only version 3 allows the use of a proxy with authentication.

 

[mira]

Thank you! This is the same error I get and clearly a bug in our code.
We're working on it.

 

[kortex_fr]

Ok, I'll wait for an update then. Thanks.

I'm still surprised that this problem hasn't happened to other users before. PBS must be used by a lot of people in a professional environment...

 

[mira]

But I bet most of them use an internal proxy server without proxy authentication.

 

[kortex_fr]

But there must be other users who, like me, work in a French administration or a big company! If so, I find it hard to believe that access to the internet is done without authenticating the user...

Finally, the main thing is that you quickly implement this proxy authentication. Otherwise our subscription will remain unusable!

 

[mira]

https://lists.proxmox.com/pipermail/pbs-devel/2022-July/005368.html
Already sent a patch yesterday.

 

[kortex_fr]

Good news. How should I go about updating our server?