Proxmox Update error

[Daniel Jörg]

Since I see update errors in GUI I tried in the shell. If I'm running apt-get update in the shell I get the following error: "gnutls_handshake() failed: The TLS connection was non-properly terminated" (see below)

What could be the reason? Any ideas how to resolve?

And yes: I have a valid subscription which shows ok on the server.

Thanks
Daniel

----------------

root@proxmox:~# apt-get update
Hit http://security.debian.org jessie/updates InRelease
Ign http://ftp.ch.debian.org jessie InRelease
Hit http://ftp.ch.debian.org jessie Release.gpg
Hit http://ftp.ch.debian.org jessie Release
Hit http://ftp.ch.debian.org jessie/main amd64 Packages
Hit http://ftp.ch.debian.org jessie/contrib amd64 Packages
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/contrib amd64 Packages
Hit http://ftp.ch.debian.org jessie/contrib Translation-en
Hit http://ftp.ch.debian.org jessie/main Translation-en
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://repo.cloudlinux.com stable InRelease
Hit http://repo.cloudlinux.com stable/main amd64 Packages
Ign http://repo.cloudlinux.com stable/main Translation-en_US
Ign http://repo.cloudlinux.com stable/main Translation-en
Ign https://enterprise.proxmox.com jessie InRelease
Ign https://enterprise.proxmox.com jessie Release.gpg
Ign https://enterprise.proxmox.com jessie Release
Ign https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages/DiffIndex
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en_US
Ign https://enterprise.proxmox.com jessie/pve-enterprise Translation-en
Err https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages
gnutls_handshake() failed: The TLS connection was non-properly terminated.
W: Failed to fetch https://enterprise.proxmox.com/debian/dists/jessie/pve-enterprise/binary-amd64/Packages gnutls_handshake() failed: The TLS connection was non-properly terminated.

E: Some index files failed to download. They have been ignored, or old ones used instead.

 

[tom]

maybe unrelated, but why do you have a cloudlinux repo in your sources list?

 

[Daniel Jörg]

Hi Tom

maybe unrelated, but why do you have a cloudlinux repo in your sources list?

We have KernelCare installed on this server. And yes: it's unrelated I think.
Daniel

 

[fabian]

what does "openssl s_client -connect enterprise.proxmox.com:443" output?

 

[Daniel Jörg]

This is the answer:

root@proxmox:~# openssl s_client -connect enterprise.proxmox.com:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA
verify return:1
depth=0 C = AT, ST = Wien, L = Vienna, O = Proxmox Server Solutions GmbH, CN = enterprise.proxmox.com, emailAddress = office@proxmox.com
verify return:1
---
Certificate chain
0 s:/C=AT/ST=Wien/L=Vienna/O=Proxmox Server Solutions GmbH/CN=enterprise.proxmox.com/emailAddress=office@proxmox.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGnDCCBYSgAwIBAgIHB9v7Oq61mzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs
YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MDgxODE3
MTgyOVoXDTE3MDgxODIxMzIzOFowgZkxCzAJBgNVBAYTAkFUMQ0wCwYDVQQIEwRX
aWVuMQ8wDQYDVQQHEwZWaWVubmExJjAkBgNVBAoTHVByb3htb3ggU2VydmVyIFNv
bHV0aW9ucyBHbWJIMR8wHQYDVQQDExZlbnRlcnByaXNlLnByb3htb3guY29tMSEw
HwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1veC5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDJUV7GDBUjjcM66Nh/NI4YLz7+wSW4MKKiNJGmX12u
6AYt6WMVxs4zr8X+H5SDlcbAw3zhGCsGnOeYt9qtgo+T+lgGPOtq6a6qY93OIbRj
bXE2rY63xKlLNgDH76XE+397tbPuAfDb54kylc3GakdCBVKpJ5vuQDz1RBLXEbjp
nyFI5XxsvF5x3vejjHs469ghq3MjwysjoSA/XPveMaqHFUJ1pPgoOlgyxcoCArDH
eK9cjw0fa4RNzp0XxCV6Ubq4JdBtGrzpHRKHhmrwyDkUXwjCfy85gh2B2OLLkKjT
DtWKpgh4CvMuncWkvFNg5h8ymvXhydVzaV4Net97y7AZAgMBAAGjggLyMIIC7jAJ
BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwEwHQYDVR0OBBYEFB2Noj33h44EQeyJ/McoE4JIOQZXMB8GA1UdIwQYMBaA
FBHbI0X9VMxqcW+EigPXvvcBLyaGMC4GA1UdEQQnMCWCFmVudGVycHJpc2UucHJv
eG1veC5jb22CC3Byb3htb3guY29tMIIBVgYDVR0gBIIBTTCCAUkwCAYGZ4EMAQIC
MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENv
bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0
ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxpZGF0aW9u
IHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5j
ZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9m
IHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNVHR8ELjAsMCqgKKAm
hiRodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnQyLWNybC5jcmwwgY4GCCsGAQUF
BwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9z
dWIvY2xhc3MyL3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFy
dHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMi5zZXJ2ZXIuY2EuY3J0MCMGA1UdEgQc
MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQsFAAOCAQEA
dcR2Z8U1y0Y4lnfi4LynAJwHIFjXXf295+AhJXZR4JlkuaHnduKuDaUxPHGmNcyt
Lbsys3TFSR3defb3dXCQ7w8hW/r9Es0Ia5PysU6M/UsFxXv4Tep1ECwI/kOQtpFB
eB62sB/iOWp9MqJkOVa60PIOyD2bJwjr2Qb7CaY+UFBU53+Bcwtw3xxStUCeMiAy
eAjvFcRC+eQ5ph6L4s1OKL8WeXqrGzwrld3uCBJPxp7CVkqPG+SqlngFaiapTe+h
tPVHmBl60f90P7kbeixWVH3lQ8d0ZcOpnlWhGRpnbST4UQ/ooVOE8Ryb/8KH5CUU
M9nFH3BG62ubvznAAuTCxw==
-----END CERTIFICATE-----
subject=/C=AT/ST=Wien/L=Vienna/O=Proxmox Server Solutions GmbH/CN=enterprise.proxmox.com/emailAddress=office@proxmox.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3891 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6175CCFBADBA58B643BC59198F5A1C25855BE89F7EDB2054BDEC61734C3B7065
Session-ID-ctx:
Master-Key: 218837A8DC8F96D27ED5828D5B8244FAFB6427C748144EF4C322FFC77504035D0D2AADF7DCA5FA48E838185EBE8A34CE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a6 c2 61 ec b9 6e 42 40-4c d1 1f 39 cc 3b c4 92 ..a..nB@L..9.;..
0010 - f0 17 7b 7d 7e 80 44 26-24 37 70 e5 09 b8 60 ec ..{}~.D&$7p...`.
0020 - a9 a4 06 4c 14 47 9f 6c-e7 3b 27 09 30 6c c4 29 ...L.G.l.;'.0l.)
0030 - 7d e2 eb 2f 95 2f 88 5c-03 6d 25 e0 41 cd 80 e7 }.././.\.m%.A...
0040 - 26 04 ff 3b c0 5b 6a 0f-4f b0 b1 e0 37 35 c5 4c &..;.[j.O...75.L
0050 - 8d 1b ff 54 cb 3e 60 45-c8 2d 57 78 8f 73 2b 32 ...T.>`E.-Wx.s+2
0060 - 26 09 3d d8 0f 45 52 5f-44 8c aa c6 c0 11 04 f5 &.=..ER_D.......
0070 - db 00 45 f7 bc bb 55 58-33 aa 24 37 c2 5b 9c 0e ..E...UX3.$7.[..
0080 - b3 b5 b9 cf fc 59 21 cc-e6 6c d9 ed 17 f5 df 7a .....Y!..l.....z
0090 - aa 19 af 5c 31 a6 35 27-ad 6d 48 67 ad 84 e9 1f ...\1.5'.mHg....
00a0 - d4 3e 35 cb 36 85 3e 1d-6a 29 ed 9d 8d c5 80 c1 .>5.6.>.j)......
00b0 - 24 3e 37 05 7f 31 95 f9-95 34 b4 14 e6 0a 42 8f $>7..1...4....B.

Start Time: 1486381693
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed

 

[fabian]

do you have a proxy configured? (if done via the PVE mechanism, this is done via /etc/apt/apt.conf.d/76pveproxy )

 

[Daniel Jörg]

No, I did not configure any proxy. The file is empty (except the "// no proxy configured" entry).

 

[fabian]

it probably makes sense to move this to our ticketing system - please register on my.proxmox.com and create a support ticket referencing this thread (for trouble shooting technical issue related to the subscription key / repository access, this is also possible for community subscribers).

 

[Daniel Jörg]

Thanks, just created a ticket but found seconds later the reason in the firewall config:

The enabled option "Drop connection when HTTPS connection with SSL V3 or previous version" in Zyxel USG content filter was the reason.

Thanks for helping

Daniel

 

[fabian]

Thanks, just created a ticket but found seconds later the reason in the firewall config:

The enabled option "Drop connection when HTTPS connection with SSL V3 or previous version" in Zyxel USG content filter was the reason.

Thanks for helping

Daniel

which is strange, because https://enterprise.proxmox.com does not even offer SSL2 and SSL3 ?

 

[grin]

btw see gnutls_handshake() failed: A TLS packet with unexpected length was received.