Problems activating subscription

[Theune]

Bought a subscription for an proxmox node that I've installed a very long time ago (4.3-1/e7cdc165).
However I'm not able to activate the subscription. Both on commandline and using the GUI I see the following error:

pvesubscription
ERROR: no command specified
USAGE: pvesubscription <COMMAND> [ARGS] [OPTIONS]
pvesubscription get
pvesubscription set <key>
pvesubscription update  [OPTIONS]
pvesubscription help [<cmd>] [OPTIONS]
root@server:/# pvesubscription update
Invalid response from server: 500 Can't connect to shop.maurer-it.com:443
root@server:/# ping shop.maurer-it.com
PING shop.maurer-it.com (51.91.38.41) 56(84) bytes of data.
64 bytes from ip41.ip-51-91-38.eu (51.91.38.41): icmp_seq=1 ttl=50 time=15.1 ms

Given the fact that I can ping the url and get the correct IP tells me DNS is working.
I've turned off all the IPv6 (not to interfere).
Checked the server is not blocking or filtering
What else could I check?

 

[mariol]

Invalid response from server: 500 Can't connect to shop.maurer-it.com:443

Please post the output of

openssl s_client -connect shop.maurer-it.com:443

You can interrupt at the end with CTRL+C.

What happened anyway? Was the subscription transferred, was the repo no longer available...?

And please post the output of

pvesubscription get

without your key!!

 

[Theune]

Thank you mariol for your help.
Below the output of the first command:

~# openssl s_client -connect shop.maurer-it.com:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R10
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=shop.maurer-it.com
   i:/C=US/O=Let's Encrypt/CN=R10
 1 s:/C=US/O=Let's Encrypt/CN=R10
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISBHcMbGr9LbauvaUN2ef3goZVMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwODIyMjMzODM3WhcNMjQxMTIwMjMzODM2WjAdMRswGQYDVQQD
ExJzaG9wLm1hdXJlci1pdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPxwoPQTvLx6KdENMCqYQ0xV4v2kz3bgAaNeUnbQjne+wllq3whj7XjOCh
Fq+CCcl+iiQOEFXSx0MHVZMm4fZ4wjzRl3lsIkA1wjbCwhGRF1pRy6vEDD5gd2XC
O4eYU4YwBbI2ftHofKyMdeqmrXv6M7Q26+4soiAY/aQA0JUQqHEWx+Qo9/yfVLPL
WlutdPGueTHczKe4gYzBY63IMdE6Z+SP7DUktbT0W3b6pMZqcIoauUU/OyAtADnr
oo6DF+SJ4A4xrVZB6QQcelLUKYZlKteEbgUMshxIx7y2Q85GATGRScFtRnym0fCF
2YrHxXjcskuOOCoHPS4+pLBgi06BAgMBAAGjggIXMIICEzAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFP8+sOlaz0rgepCU1KTH1b4KxEC6MB8GA1UdIwQYMBaAFLu8w0el
5LypxsOkcgwQjaI14cjoMFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0
cDovL3IxMC5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMC5pLmxl
bmNyLm9yZy8wHQYDVR0RBBYwFIISc2hvcC5tYXVyZXItaXQuY29tMBMGA1UdIAQM
MAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAPxdLT9ciR1iU
HWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGRfKpnbgAABAMARzBFAiAUVtv05GRj
lgO+tYC0H7MgenR7wtQxx+ccmAoilL9Y7AIhAJDQ2g7v8ykBy1t4plczcwizfkNP
UVsGrlDSzM56KftiAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQA
AAGRfKpnmwAABAMASDBGAiEAlHsveOXN+1nLraz7bkSI9CqzgUvvvKO6N9bi9zeM
NBcCIQDGgtPQYozjn2T+ZClc/bSiNT29JV+605H+CABRxIhmnzANBgkqhkiG9w0B
AQsFAAOCAQEAPO8vMQ25M1TcRRu9cJtj0VdbMRkThJquEatX4LhFtRWlz+A3E7yR
c01Z/eagaii5UhpBNhtbc+wFuMYyNhp7hmuWbqWWxab7nB7XoQspxsAPKOpZdsnK
Jx9YEt7xBYqu+97fMngvT/wXCgzSmmKSrunMYLSSR0THtYN7Gw/+wPHv1QppAF86
Z+roPFzERhuwT846/xr4l5puaH7lIxkf2Z6ZrxdfwQSIRyj+8nB0CywP0MCcNW/u
HxOs4GGyM/AuUbofWSmM0eiNjDHMMLUbTCkNAcdajJHbsGfwbwT4SnJ99dWEzpJG
EcZtxqjOfPBxZbhqlUQm1cDc1+cOw33PqA==
-----END CERTIFICATE-----
subject=/CN=shop.maurer-it.com
issuer=/C=US/O=Let's Encrypt/CN=R10
---
No client certificate CA names sent
---
SSL handshake has read 3140 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CB033594584A203F900B82443AD4F3DAEB047FF9268BA9AA1D0EEBC2478FA58C
    Session-ID-ctx:
    Master-Key: 08BD7B072B382335506D104DB590D6858514FE082CB5588A8321BBBC8ECA6A105512FEA11453ED9819D2C8070EE6FF8A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1728423123
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Hope I didn't press <CTRL> C to soon.

Below the output of the second command (without key):

root@aragorn:~# pvesubscription get
key: </snip key>

serverid: 14C95EEFE3016A30552AEE1D62AC81B8
sockets: 1
status: Invalid

What happened is that a long time ago I installed this server and I basically forgot. I wanted to test somethings and saw that this version was old. So I decided to buy a community license and attempt to update the key (rather than to reinstall the server).

Do you have enough information. Appears something wrong with the local certificate. Is that correct?

 

[mariol]

verify error:num=20:unable to get local issuer certificate

According to the error message, you are missing the current CA from Let's Encrypt. Which version have you installed exactly?

pveversion

 

[Theune]

Please see below:

# pveversion
pve-manager/4.3-1/e7cdc165 (running kernel: 4.4.19-1-pve)

 

[mariol]

Ok. You could go from 4 to 5, from 5 to 6, from 6 to 7 and from 7 to PVE8. The question is whether you want to go through all these steps. I would recommend that you backup your data/VM's and simply reinstall your server with the latest ISO. That's the quickest way. Before you can enter your subscription key in the newly installed server, please reset it in the shop.

 

[Theune]

Thank you for the help and the advice Mario. I understand that it is a lot of work.
What can I do to fix the problem with the certificate so I can do the upgrade path?

 

[esi_y]

Thank you for the help and the advice Mario. I understand that it is a lot of work.

This will be fun.

Backup your config, at the least:
https://forum.proxmox.com/threads/backup-cluster-config-pmxcfs-etc-pve.154569/

What can I do to fix the problem with the certificate so I can do the upgrade path?

First off, there was a bug in these older openssl versions, you have to use bogus CApath to check properly:

openssl s_client -connect shop.maurer-it.com:443 -CApath /dev/null

I think a more no-nonsense check is simply:

wget https://shop.maurer-it.com

NB PVE4 was based on Debian Jessie, so you will need to get packages from archive, I mean, at least the guides want you to start with updated systems anyways, basically for Jessie:

mv /etc/apt/sources.list{,.outdated}

cat > /etc/apt/sources.list.d/jessie-archive.list <<< "deb http://archive.debian.org/debian jessie main"

Then as usual with these:

apt update

apt full-upgrade

But on this old Debian you really might miss the root CA [1] - check manually after the update/upgrade if your issue with certificate validation persists.

If it does, to get the current CA certificate, ironically you can download it only without checking certificates of the server you download from (to do it properly, you should download on a current system, then scp in, it has to have .crt extension):

wget --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/local/share/ca-certificates/x1.crt

update-ca-certificates -f

And you can check as before, now all should be good.

Analogously for Debian Stretch, Buster, Bullseye, Bookworm with apt ... the sed -i 's/jessie/stretch/g' will not work without archive ... of course you won't have certificate problem anymore, at least.

Well, it will be fun ... good luck!

[1] https://letsencrypt.org/certificates/

 

[Theune]

Thanks. Backed up the virtual machines the database and the

/etc

folder



However the command

apt update

gave the error:

Ign http://archive.debian.org jessie InRelease
Get:1 http://archive.debian.org jessie Release.gpg [2,420 B]
Get:2 http://archive.debian.org jessie Release [148 kB]
Ign http://archive.debian.org jessie Release
Get:3 http://archive.debian.org jessie/main Translation-en [4,581 kB]
Ign https://enterprise.proxmox.com jessie InRelease
Get:4 http://archive.debian.org jessie/main amd64 Packages [6,818 kB]
Ign https://enterprise.proxmox.com jessie Release.gpg
Ign https://enterprise.proxmox.com jessie Release
Ign http://archive.debian.org jessie/main Translation-en_US
Err https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en
Fetched 11.5 MB in 2s (5,110 kB/s)
W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717
W: Failed to fetch https://enterprise.proxmox.com/debian/dists/jessie/pve-enterprise/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.

The commands:

openssl s_client -connect shop.maurer-it.com:443 -CApath /dev/null
wget --no-check-certificate ....
update-ca-certificates ...

Allowed:

wget https://shop.maurer-it.com

to work.

Now also the commands:

apt update
apt full-upgrade

Are working. I have not updated all the various versions and upgraded the lot.
However my subscription key is not accepted yet.
So not all is good yet.

Main question that I have at this moment:
Should I update the device as you suggested or do I need to have the server key working first.

 

[esi_y]

W: Failed to fetch https://enterprise.proxmox.com/debian/dists/jessie/pve-enterprise/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

The thing is, if you want to use "enterprise" repos for APT, you need a subscription. You would either need to have that fixed first or switch to no-subscription repos to proceed with the upgrades. That's more like your call, I would probably just do no-subscription and worry about keys later:
https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo
(note it is NOT https anymore)

If you want to fix your key, I belive that's really something @mariol could help with (or email them) because I am not sure what he meant by (and on which "new" PVE install this is necessary):

Before you can enter your subscription key in the newly installed server, please reset it in the shop.

apt update
apt full-upgrade

Until you have also PVE repository sorted out in the sources.list, you have only updated Debian packages.

Main question that I have at this moment:
Should I update the device as you suggested or do I need to have the server key working first.

Let me know if you have trouble fixing the repos (should you decide to just press on without the key).

 

[esi_y]

https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo

Just to make this a little more tailored to your situation, you basically need:

cat > /etc/apt/sources.list.d/pve-no-subscription.list <<< "deb http://download.proxmox.com/debian/pve jessie pve-no-subscription"

Or so I hope (I can see they still all keep them there).

You can post your apt update/full-udgrade output here.

 

[Theune]

Thank you esi_y for your help.

I believe the repository is working (with exception of the enterprise one for which the key needs to be fixed).
The suggestion from mariol to peform:

wget --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/local/share/ca-certificates/x1.crt
update-ca-certificates -f

worked very well. The repos appear to work (with exception for the enterprise proxmox one, for which I need to have a working key)

The main question for me is to fix the key.

I believe that the remark:

Before you can enter your subscription key in the newly installed server, please reset it in the shop.

Referred to performing a complete new install, before using they key again it should be reset. Not sure what he meant with that. But it is not the route I intent to go.

I think that for an in-place update both repositories need to work (both Debian and enterprise Proxmox). My experience (with other distros) is that there are inter-dependencies between the repos. Updating the Debian, might make the update path of proxmox unlikely to work (is that correct?).

 

[esi_y]

Thank you esi_y for your help.

I believe the repository is working (with exception of the enterprise one for which the key needs to be fixed).
The suggestion from mariol to peform:

That was all me.

The repos appear to work (with exception for the enterprise proxmox one, for which I need to have a working key)

Can you post full output here of your apt update?

The main question for me is to fix the key.

This I would leave up to @mariol.

Referred to performing a complete new install, before using they key again it should be reset. Not sure what he meant with that. But it is not the route I intent to go.

I am not sure either, but what is the error now when you try to activate the key on the old version?

I think that for an in-place update both repositories need to work (both Debian and enterprise Proxmox).

Not exactly. Debian and SOME Proxmox repo has to work. Enterprise or No-subscription one.

 

[Theune]

That was all me.

You're right and only now I realize it ;-)

The output of

apt-update

see below:

# apt update
Ign http://archive.debian.org jessie InRelease
Get:1 http://archive.debian.org jessie Release.gpg [2,420 B]
Hit http://archive.debian.org jessie Release
Ign http://archive.debian.org jessie Release
Ign http://archive.debian.org jessie/main amd64 Packages/DiffIndex
Get:2 https://enterprise.proxmox.com jessie InRelease [172 B]
Ign https://enterprise.proxmox.com jessie InRelease
Get:3 https://enterprise.proxmox.com jessie Release.gpg [172 B]
Ign https://enterprise.proxmox.com jessie Release.gpg
Get:4 https://enterprise.proxmox.com jessie Release [172 B]
Ign https://enterprise.proxmox.com jessie Release
Get:5 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:6 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:7 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:8 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:9 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:10 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:11 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:12 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:13 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:14 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:15 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:16 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:17 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Err https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages
  HttpError401
Get:18 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US
Get:19 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en
Ign http://archive.debian.org jessie/main Translation-en_US
Ign http://archive.debian.org jessie/main Translation-en
Err http://archive.debian.org jessie/main amd64 Packages
  404  Not Found [IP: 151.101.194.132 80]
Fetched 2,420 B in 6min 0s (6 B/s)
W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717
W: Failed to fetch http://archive.debian.org/debian/dists/jessie/main/binary-amd64/Packages  404  Not Found [IP: 151.101.194.132 80]

W: Failed to fetch https://enterprise.proxmox.com/debian/dists/jessie/pve-enterprise/binary-amd64/Packages  HttpError401

E: Some index files failed to download. They have been ignored, or old ones used instead.

Is this what you expected it to be?

On

I am not sure either, but what is the error now when you try to activate the key on the old version?

Invalid response from server: 500 Can't connect to shop.maurer-it.com:443 (500)

 

[esi_y]

# apt update
Err https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages
  HttpError401

So this one would not work without subscription.

Err http://archive.debian.org jessie/main amd64 Packages
  404  Not Found [IP: 151.101.194.132 80]

This is strange. Can you post your:

cat /etc/apt/sources.list{,.d/*}

And this one, actually:

W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717

... is alright.

Invalid response from server: 500 Can't connect to shop.maurer-it.com:443 (500)

This is the response of the pve subscription command? To me, it looks like before! So the CA certificate problem is not solved?

I actually would not worry about this too much, I would use the no-subscription repository for the upgrades all the way to PVE7 at the least, it's not like the repositories give you something different by now. The enterprise repository is just some packages behind (so that you are not testing newly released stuff right away in production). But we are talking old PVE versions here...

 

[esi_y]

@mariol Is the below needed because something changed across PVE4 to 8 or because your server changed? IOW Does he need to do this only for PVE8 or even if he wants to now apply it to old PVE4?

Before you can enter your subscription key in the newly installed server, please reset it in the shop.

 

[mariol]

@mariol Is the below needed because something changed across PVE4 to 8 or because your server changed? IOW Does he need to do this only for PVE8 or even if he wants to now apply it to old PVE4?

Good morning. This is only necessary if the ServerID changes, e.g. during a new installation.

 

[Theune]

Code:
cat /etc/apt/sources.list{,.d/*}

See below:

# cat /etc/apt/sources.list{,.d/*}
cat: /etc/apt/sources.list: No such file or directory
deb http://archive.debian.org/debian jessie main
deb https://enterprise.proxmox.com/debian jessie pve-enterprise

As suggested by you I did:

Code:
wget https://shop.maurer-it.com

Which gives:

wget https://shop.maurer-it.com
--2024-10-15 19:49:05--  https://shop.maurer-it.com/
Resolving shop.maurer-it.com (shop.maurer-it.com)... 51.91.38.41, 2001:41d0:203:7470::41
Connecting to shop.maurer-it.com (shop.maurer-it.com)|51.91.38.41|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://shop.proxmox.com/ [following]
--2024-10-15 19:49:06--  https://shop.proxmox.com/
Resolving shop.proxmox.com (shop.proxmox.com)... 79.133.36.249, 2a01:7e0:0:424::2
Connecting to shop.proxmox.com (shop.proxmox.com)|79.133.36.249|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.2’

index.html.2                                       [ <=>                                                                                                 ]  18.29K  --.-KB/s   in 0.01s

2024-10-15 19:49:06 (1.43 MB/s) - ‘index.html.2’ saved [18729]

I hope this means the certificate is ok.

From all this I conclude that I should be able to upgrade the system. Do i need to exclude the enterprise repo?

 

[esi_y]

See below:

# cat /etc/apt/sources.list{,.d/*}
cat: /etc/apt/sources.list: No such file or directory
deb http://archive.debian.org/debian jessie main
deb https://enterprise.proxmox.com/debian jessie pve-enterprise

This is as per our changes, so you have jessie archive and (intact) enterprise repo (which you cannot use because no license).

I hope this means the certificate is ok.

I hoped too, but this weird apt update output earlier makes me think twice. Can you afford to reboot the machine?

From all this I conclude that I should be able to upgrade the system. Do i need to exclude the enterprise repo?

You definitely cannot proceed like this. You have no working Proxmox repo. Since you cannot apply your license, which I cannot help with, I would really advise to:

cat > /etc/apt/sources.list.d/jessie-pve.list <<< "deb http://download.proxmox.com/debian/pve jessie pve-no-subscription"

Then I would want to see update & full-upgrade output before proceeding further.

 

[Theune]

Thank esi_y for your continued help.

I've rebooted the machine. This never went wrong and also this time it worked very well.
I've executed the line:

cat > /etc/apt/sources.list.d/jessie-pve.list <<< "deb http://download.proxmox.com/debian/pve jessie pve-no-subscription"

After this I've executed the code:

apt-get update && apt-get dist-upgrade

Resulting in:

apt-get update && apt-get dist-upgrade
Ign http://archive.debian.org jessie InRelease
Get:1 http://archive.debian.org jessie Release.gpg [2,420 B]
Hit http://archive.debian.org jessie Release
Ign http://archive.debian.org jessie Release
Ign http://archive.debian.org jessie/main amd64 Packages/DiffIndex
Hit http://download.proxmox.com jessie InRelease
Get:2 http://download.proxmox.com jessie/pve-no-subscription amd64 Packages [319 kB]
Ign http://download.proxmox.com jessie/pve-no-subscription Translation-en_US
Ign http://download.proxmox.com jessie/pve-no-subscription Translation-en
Get:3 https://enterprise.proxmox.com jessie InRelease [172 B]
Ign https://enterprise.proxmox.com jessie InRelease
Get:4 https://enterprise.proxmox.com jessie Release.gpg [172 B]
Ign https://enterprise.proxmox.com jessie Release.gpg
Get:5 https://enterprise.proxmox.com jessie Release [172 B]
Ign https://enterprise.proxmox.com jessie Release
Get:6 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:7 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:8 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:9 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:10 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:11 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:12 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:13 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:14 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:15 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Get:16 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Get:17 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Get:18 https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages [172 B]
Err https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages
  HttpError401
Get:19 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US [172 B]
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US
Get:20 https://enterprise.proxmox.com jessie/pve-enterprise Translation-en [172 B]
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en
Ign http://archive.debian.org jessie/main Translation-en_US
Ign http://archive.debian.org jessie/main Translation-en
Err http://archive.debian.org jessie/main amd64 Packages
  404  Not Found [IP: 151.101.2.132 80]
Fetched 322 kB in 6min 0s (892 B/s)
W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717
W: Failed to fetch http://archive.debian.org/debian/dists/jessie/main/binary-amd64/Packages  404  Not Found [IP: 151.101.2.132 80]

W: Failed to fetch https://enterprise.proxmox.com/debian/dists/jessie/pve-enterprise/binary-amd64/Packages  HttpError401

E: Some index files failed to download. They have been ignored, or old ones used instead.

Should I try:

apt update --allow-unauthenticated && apt-get dist-upgrade --allow-unauthenticated