pveam update fails on turnkeylinux

[dpearceFL]

Trying to update my list of templates. Got the same result on PVE 8.4.1 and on 9.0.5

Log output of /var/log/pveam.log:

2025-08-21 10:25:18 start download http://download.proxmox.com/images/aplinfo-pve-9.dat.asc
2025-08-21 10:25:19 download finished: 200 OK
2025-08-21 10:25:19 start download http://download.proxmox.com/images/aplinfo-pve-9.dat.gz
2025-08-21 10:25:20 download finished: 200 OK
2025-08-21 10:25:20 signature verification: 24B30F06ECC1836A4E5EFECBA7BCD1420BFE778E
2025-08-21 10:25:20 update successful
2025-08-21 10:25:20 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.asc
2025-08-21 10:25:20 download failed: 500 Can't connect to releases.turnkeylinux.org:443 (certificate verify failed)
2025-08-21 10:25:20 update failed - no signature file '/var/lib/pve-manager/apl-info/pveam-releases.turnkeylinux.org.tmp.3120253.asc'

Anyone else seeing this?

 

[sterzy]

2025-08-21 10:25:20 download failed: 500 Can't connect to releases.turnkeylinux.org:443 (certificate verify failed)

That sounds like the certificate cannot be verified. What does openssl s_client -connect releases.turnkeylinux.org:443 return for you? Also are you using some kind of proxy?

 

[dpearceFL]

If I go to https://releases.turnkeylinux.org/pve/aplinfo.dat.asc in a browser, I see the cert with no cert failure.

 

[dpearceFL]

# openssl s_client -connect releases.turnkeylinux.org:443
Connecting to 104.21.48.1
CONNECTED(00000003)
depth=2 C=US, O=Blue Coat Systems, Inc., CN=Cloud Services CA - G2
verify error:num=20:unable to get local issuer certificate

So that would be a local cert on the PVE box?

 

[sterzy]

If I go to https://releases.turnkeylinux.org/pve/aplinfo.dat.asc in a browser, I see the cert with no cert failure.

That isn't the TLS certificate but the signature for the aplinfo from what I can tell. Those are separate things.

So that would be a local cert on the PVE box?

No, this is some middle box. Blue Coat Systems is a provider of security products. Likely you are connecting through something that wants to do some kind of package inspection for security purposes. This “Blue Coat Systems” box is providing its own TLS certificate to do that. You would need to trust that certificate on you Proxmox VE host explicitly for everything to work as intended.

To do that, you need to obtain the certificate from said middle box, then copy that file to the /usr/local/share/ca-certificates (e.g., cp blueboxcert.crt /usr/local/share/ca-certificates) and then run update-ca-trust.

Be careful though, if this middle box is not supposed to be there, someone is likely trying to mess with your connection, and you should not trust any random certificate just so everything “works”.

 

[dpearceFL]

OK. Thanks. I have no control over the middle box. This is at the company I work for and they only support Red Hat and the like, so I have no one to talk to.

Templates do seem to be updating even if I get an error message.

 

[sterzy]

OK. Thanks. I have no control over the middle box. This is at the company I work for and they only support Red Hat and the like, so I have no one to talk to.

Alright, but all you should need to ask them for is a certificate file from the middle box. That should not be specific to Red Hat or anything similar. In theory, you could even use openssl to download the cert like so: openssl s_client -connect releases.turnkeylinux.org:443 -showcerts 2>/dev/null | openssl x509 -outform PEM > blueboxcert.crt and then follow the rest of the steps above. However, that is not recommended as that will just trust whatever certificate is being served there without any out-of-band checks. That could be a security risk, so be careful!