Error Connection error 596: error:0A00010B:SSL routines::wrong version number

[copetogo]

Hi

I have a 3 node cluster and what i was trying to do is install beszel agent on one of the nodes for monitoring purpose . but as soon as i rebooted proxmox node i got this error on that particular node
Error Connection error 596: error:0A00010B:SSL routines::wrong version number. the other two nodes are working properly. i cannot afford to do fresh install on the node .
I ran the following 2 commands on all 3 nodes which i saw from thread earlier pointing a certificate issue

pvecm updatecerts -F
systemctl restart pvedaemon pveproxy

 

[Max Carrara]

Interesting. When does that error occur? Does it occur for every connection that you make?

Also, are you using a proxy?

 

[copetogo]

so the node on which i installed the agent , the problem occurs on that node. When you mean proxy are you referring to reverse proxy (answer is no)

 

[Max Carrara]

Okay, I see. I meant something like a system-wide HTTP proxy, but I assume you didn't set one up.

So on that node where that problem occurs, when exactly does it occur? For example, does it happen when you run something like curl -L proxmox.com?

 

[copetogo]

Okay, I see. I meant something like a system-wide HTTP proxy, but I assume you didn't set one up.

So on that node where that problem occurs, when exactly does it occur? For example, does it happen when you run something like curl -L proxmox.com?

i attached the screenshot below for that node i am not able to access anything except shell and greeted with the error mentioned. now although all CTS and VMS are working but i am not able to access any of them in proxmox .

 

[copetogo]

it is happening as soon start the node

 

[Max Carrara]

Okay, I see. Since you can access the shell, could you please run the following commands and post their output in code blocks?

• ldd $(which curl) (assuming you have curl installed)
• openssl version
• echo 'Q' | openssl s_client -connect proxmox.com:443

 

[copetogo]

Okay, I see. Since you can access the shell, could you please run the following commands and post their output in code blocks?

• ldd $(which curl) (assuming you have curl installed)
• openssl version

• echo 'Q' | openssl s_client -connect proxmox.com:443
  [/LIST]
  [/QUOTE]
  1) Out put of 1 st
  [CODE]   linux-vdso.so.1 (0x00007fff623fd000)
          libcurl.so.4 => /lib/x86_64-linux-gnu/libcurl.so.4 (0x0000714e4ff02000)
          libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x0000714e4fee3000)
          libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000714e4fd02000)
          libnghttp2.so.14 => /lib/x86_64-linux-gnu/libnghttp2.so.14 (0x0000714e4fcd3000)
          libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x0000714e4fca2000)
          librtmp.so.1 => /lib/x86_64-linux-gnu/librtmp.so.1 (0x0000714e4fc81000)
          libssh2.so.1 => /lib/x86_64-linux-gnu/libssh2.so.1 (0x0000714e4fc40000)
          libpsl.so.5 => /lib/x86_64-linux-gnu/libpsl.so.5 (0x0000714e4fc2c000)
          libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x0000714e4fb83000)
          libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x0000714e4f600000)
          libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x0000714e4fb30000)
          libldap-2.5.so.0 => /lib/x86_64-linux-gnu/libldap-2.5.so.0 (0x0000714e4facf000)
          liblber-2.5.so.0 => /lib/x86_64-linux-gnu/liblber-2.5.so.0 (0x0000714e4fabf000)
          libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x0000714e4f544000)
          libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1 (0x0000714e4fab2000)
          /lib64/ld-linux-x86-64.so.2 (0x0000714e4ffff000)
          libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x0000714e4f38e000)
          libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x0000714e4f000000)
          libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6 (0x0000714e4f345000)
          libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8 (0x0000714e4f2f7000)
          libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x0000714e4f276000)
          libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x0000714e4ef26000)
          libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3 (0x0000714e4f249000)
          libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x0000714e4faa8000)
          libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0 (0x0000714e4fa9a000)
          libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x0000714e4f22c000)
          libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1 (0x0000714e4ef03000)
          libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x0000714e4edcf000)
          libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x0000714e4edba000)
          libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x0000714e4fa91000)
          libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x0000714e4eda9000)
          libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x0000714e4f220000)

  
  2) output of 2nd
  OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)

 

[copetogo]

Output of 3rd

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = proxmox.com
verify return:1
---
Certificate chain
0 s:CN = proxmox.com
i:C = US, O = Let's Encrypt, CN = E5
aKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jun 18 13:39:21 2025 GMT; NotAfter: Sep 16 13:39:20 2025 GMT
1 s:C = US, O = Let's Encrypt, CN = E5
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
aKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxx
-----END CERTIFICATE-----
subject=CN = proxmox.com
issuer=C = US, O = Let's Encrypt, CN = E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2499 bytes and written 397 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

removed the certificate details

 

[Max Carrara]

Hmm, okay, interesting. OpenSSL seems to be working correctly—at least its client is able to perform a handshake.

When was the last time you ran an update on the node? Are you able to e.g. run apt update and apt dist-upgrade?

Does the problem persist if you uninstall Beszel Agent from the affected node?

 

[copetogo]

to answer your node update did only a month ago ran all those updates commands again today. u

Hmm, okay, interesting. OpenSSL seems to be working correctly—at least its client is able to perform a handshake.

When was the last time you ran an update on the node? Are you able to e.g. run apt update and apt dist-upgrade?

Does the problem persist if you uninstall Beszel Agent from the affected node?

i completely uninstalled agent but no difference. curiously when i deleted certs i get this error in screenshot

 

[copetogo]

to answer your node update did only a month ago ran all those updates commands again today. u

i completely uninstalled agent but no difference. curiously when i deleted certs i get this error in screenshot

Ok i have disabled the agent and it seemed to do the trick. Ok i had to go thorugh proxmox docs where is has specifically mentioned not to touch the ssl's what i didn't know what beszel agent did exactly that .

 

[Max Carrara]

Ok i have disabled the agent and it seemed to do the trick. Ok i had to go thorugh proxmox docs where is has specifically mentioned not to touch the ssl's what i didn't know what beszel agent did exactly that .

Thanks for the update! I'm glad you figured it out.