ProxMox Updating through VSAT (Vessel)

I would run the following commands (will paste outputs as well for comparison) - if any of them do not work you need to take this up with your ISP:
* check that you can ping your gateway (you already did that)
* check that you can ping a public ip that responds to ping (e.g. 8.8.8.8) (you already did that)
* check that you can download files via http (you might need to set a proxy, which needs to be provided by your ISP):
Code:
 wget http://deb.debian.org/debian/dists/buster/main/binary-amd64/Packages.xz
--2019-12-20 16:38:48--  http://deb.debian.org/debian/dists/buster/main/binary-amd64/Packages.xz
Resolving deb.debian.org (deb.debian.org)... 151.101.14.133, 2a04:4e42:3::645
Connecting to deb.debian.org (deb.debian.org)|151.101.14.133|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7907908 (7.5M) [application/x-xz]
Saving to: ‘Packages.xz’

Packages.xz                                                             100%[============================================================================================================================================================================>]   7.54M  27.5MB/s    in 0.3s    

2019-12-20 16:38:48 (27.5 MB/s) - ‘Packages.xz’ saved [7907908/7907908]

* check that you can connect to enterprise.proxmox.com on port 443 and get the correct certificate back:
Code:
 openssl s_client -connect enterprise.proxmox.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = enterprise.proxmox.com
verify return:1
---
Certificate chain
 0 s:CN = enterprise.proxmox.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgISBEKzJSBbFWWL526INKtBH3/tMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTEyMTQwNTAyMDdaFw0y
MDAzMTMwNTAyMDdaMCExHzAdBgNVBAMTFmVudGVycHJpc2UucHJveG1veC5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDku6MoFu1zvQmbGIFM3u2W
N8jAYczfQeup/BxNPjAVC7RuBEvFQyOFnbB4AFHBw8ykpEgCKnF8IY3QHqUBD3JQ
/1ONTKOc/o4k76x2oL5173og7CtTLKxOMc3+ZMPctLEi4NWdLcaQlSrz1Tqun/AA
d/hX4RiZqHhSZLKiU46Oi0SV24bVxO7dPuQuax7f1Ymcz1QifUdQayPM6xhGpeTT
/0gIXwLZK7aWCQDtxf+tGxw+DKtjZsZ0mv+oilMzUB5jdgeNeFTbFWSgw5vD5K8O
7XIl7G1HPi9lJaE5ES8pVOzZBUXDR3r5P8zz3Gp4cq+euK89TPCVgpolgdL8MrVc
/9tjZqXnDsHFmD5ccYFFDVoCSKcK7rUeBcwmUqqGCieBJYJxTUksUehjON0gtaXQ
YmUDSXyinGwQ9K2iKqLbxDIF6ovwy0J20Xncr6zSiYGcVQwm4LbfNh52IqQdkJef
m/pjEcsHcqxi/59QU2QsP4caUYZO1cdxyMkTfcY3It3q4v1JoSgzgDgmVhKmKiUU
pYw470n9ucrwC5r2abB9nG1TfJbSCl/OwLqEXQOZRab7aOK6RKT5VoPTDT357Zpt
c0HDPEi2tD6e2m04FlSaswX9N8kV6eL9jvXZCgppTzaCOyI1Dltca6nzfY1Cmkaf
bYayAH0e2eiev+dB9YPZewIDAQABo4ICbDCCAmgwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBSgGguCqW6mxfbrolGIL55auR18uTAfBgNVHSMEGDAWgBSoSmpjBH3duubR
ObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
Y3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9j
ZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCEGA1UdEQQaMBiCFmVudGVycHJp
c2UucHJveG1veC5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBep3P531bA57U2SH3QSeAyepGaDIShEhKE
GHWWgXFFWAAAAW8C//l9AAAEAwBIMEYCIQDLrZsziyT/+GvZR7+Q4B1kqKdZoP6k
T7hSD8ZBG/+jyQIhALdfeGFyC05zqsMa9HdGcfF7vPsmVBjbG0OKDBWb/WO4AHYA
sh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFvAv/5agAABAMARzBF
AiEA97kl7dgggeGFN+NpyQDf53D8xGobW3ULFi6xGWVsZBECIBpTR7jJm/fCptlC
olGzWtNF+v5Oz2W4hTqJ5mDobdlpMA0GCSqGSIb3DQEBCwUAA4IBAQA3e90Zfyzg
/e0GaDl5BdxfwNlECBMlOsgbYztWxrhqR3cZA9khrCrpelduYMYvETMs19CLjT8o
BypJd9r0E/FEqVor4Ej5td/ruQYjL0VcOP6F9vb+gT0EYXHRNw1SaXapls1UQM97
Ozx2t6gJ6/GmJFmBSW8F3qvxTIIX66ZRYnX4t8tafoi//l39BmqvqQTO1Cscy90g
j6PIJAcDr0uyo9LjCeaSwXJmASX4mlWAbZBHOVcEq+rj9py417rmkYlNonKpfnmI
4xGj2LlqoNFytRVzHuxEoGBoP1MJfjHnp6ldmtPwwbDmI98tjY9CBg8IIKAlHhWY
FTiasc7E37uY
-----END CERTIFICATE-----
subject=CN = enterprise.proxmox.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3715 bytes and written 407 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 203A75E61A6AE6E76747FBD1C125BB665E2D63DEC729617A7E82ED9F090DEF31
    Session-ID-ctx: 
    Master-Key: D2FC213B44B05B499E9BBB7B5CFFA12B9A422B7EFC7E288EA4AAB9505170F0E665FD68D3809B87452FD12C681DB8F62A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 87 f4 3b 83 59 e6 9b 70-56 5b 22 9f fc 2a 8a d8   ..;.Y..pV["..*..
    0010 - 0c d2 2f 4a 39 7e 53 cc-6f fa df cb 17 28 33 ec   ../J9~S.o....(3.
    0020 - e1 40 7c f2 c4 16 eb c3-9a ed c3 8f 28 5d 90 b6   .@|.........(]..
    0030 - 2e e8 7c 7e 25 36 b9 71-11 a8 c2 39 f1 ff f4 d7   ..|~%6.q...9....
    0040 - 68 5e 4a 1b 08 6f 0f fb-89 8a ff 50 d6 df cc ba   h^J..o.....P....
    0050 - 48 ad 4d f6 d0 7b 77 62-62 0b 73 3c f6 97 fc 0c   H.M..{wbb.s<....
    0060 - b1 f9 54 16 21 e2 51 80-77 15 60 9d f4 1e 62 0a   ..T.!.Q.w.`...b.
    0070 - 84 41 98 20 37 71 50 36-bb a4 1e 07 d6 23 04 af   .A. 7qP6.....#..
    0080 - 52 6c c5 72 52 0b 45 74-04 36 53 53 ac d4 c7 d2   Rl.rR.Et.6SS....
    0090 - 62 94 c4 d9 e3 e6 c4 86-c2 79 19 de 10 c2 fd a0   b........y......
    00a0 - 17 bf b1 0b 94 54 17 74-da 70 cf ab bd 9b 23 fc   .....T.t.p....#.

    Start Time: 1576856375
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
^C

(The certificate needs to match and verify)

* check that you can connect to shop.maurer-it.com likewise:
Code:
openssl s_client -connect shop.maurer-it.com:443

If any of the steps fail - take the diagnostics to your ISP

I hope this helps!
 
confirm package download,

Error in certificate:
Code:
root@oberon1:~#  openssl s_client -connect enterprise.proxmox.com:443
CONNECTED(00000003)
depth=0 CN = enterprise.proxmox.com, L = "                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           "
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = enterprise.proxmox.com, L = "

Results from maurer-it:
see txt
 

Attachments

  • shop-maurer.txt
    16 KB · Views: 4
Seems like a fortinet firewall in your way is doing SSL MITM:
Code:
issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGVM00TM19000443, emailAddress = support@fortinet.com

-> check with the one's who are running that appliance (maybe it's your router, or your ISP has something like that) - and check with them about a potential workaround (either they should let you directly connect to https sites instead of intercepting that traffic - or you can add their CA to your local system's trust-store (I personally would not do that since I would not want to have someone intercepting my encrypted traffic - but there might not be a way around that in your environment)

I hope this helps!
 
Dear Stoiko good day and happy new year!
After some inspections with my cybersecurity software (fortigate) we found out that lowering the security level in certificate inspection check, the subscription can be accessed and receive the updates properly. Are you able to share with me the category of certificate to pass it inside fortigate and bring back the level as before?
 
Hey - happy new year 2020 to you as well!

hmm - sadly don't have too much experience with Fortinet products - probably best to ask their support what the 'security levels' of certificates mean and which effect they have.

On a quick guess I think that raising this level changes what the Fortigate does:
* higher level - it intercepts the TLS-connection (thus breaking the chain of trust) to see what happens inside the TLS encrypted connection
(I personally don't think that this has enough merit and is potentially dangerous, but that's beside the point)

* If you really want the connection to be trusted by the Proxmox host - you need to add the Fortigate's CA to the certificate trust store - but that means that they will be trusted for everything you do via https - see https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html for how to do that.

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!