Suddenly unable to access web UI

[Maiyannah]

Hi all,
After some time the proxmox UI has become unavalable. It refuses the connection and while it is running, the proxy has nothing in the log.

Things I checked:

1. Tried both hostname and direct IP address
2. Restarted pveproxy
3. Ensured system has up to date APT packages
4. Tried from multiple POPs.
5. SSH to the server (this works)
6. Curl to the URL both local and WAN hangs indefinitely.
7. All logs I could see looked clean.

Any ideas?

It should be noted the web interface has been perfectly accessible about two weeks ago last I had to do some administrata on the VM end and has been continuously running for a year now (not including some update restarts)

 

[RianKellyIT]

If curl hangs rather than refusing outright, pveproxy is likely listening on port 8006 but not completing the TLS handshake. The most common cause after a long uptime is certificate expiry, either the self-signed cert expired or there's a corruption in the PVE cluster certificate store. First verify the port is actually bound:

ss -tlnp | grep 8006

If pveproxy appears there, the service is up and listening, something is blocking the handshake, not the service itself.

Check cert expiry:

openssl x509 -in /etc/pve/local/pve-ssl.pem -noout -dates

If it's expired, regenerate:

pvecm updatecerts --force
systemctl restart pveproxy

Also check pvedaemon, pveproxy depends on it and sometimes the daemon gets stuck without pveproxy logging anything obvious:

systemctl status pvedaemon
systemctl restart pvedaemon pveproxy

If the cert is fine, check whether iptables or nftables picked up a rule blocking 8006 (this can happen after kernel updates or if fail2ban is running):

iptables -L -n | grep 8006
nft list ruleset | grep 8006

One more place to check: the pveproxy journal rather than the log file, the file often stays quiet while the journal shows TLS errors or connection resets:

journalctl -u pveproxy -n 100 --no-pager

Given it was working fine two weeks ago and you've been on continuous uptime for a year, cert expiry is the most likely culprit. PVE's default self-signed certs are valid for 10 years, but if you ever had a custom cert applied it may have a shorter validity.

 

[Maiyannah]

Good shout on certs, it was current however. I did restart it nonetheless, but it had no effect.

Journalctl has nothing at all unusual; it spins up, it makes three workers, and it waits. Thought to check pvedaemon too; same thing.

I don't find any iptables or nft rules affecting 8006.

There were some new versions to upgrade when I hit apt update / upgrade. They installed successfully with no errors.

I tried a restart of the host machine to no effect either.

 

[Maiyannah]

I don't see anything at all tailing journalctl when I try to access the port, for what its worth.

 

[bbgeek17]

1. Curl to the URL both local and WAN hangs indefinitely.

Have you tried 127.0.0.1 ?
It would be helpful if you posted your configuration and commands you run here, rather than just reporting the results.

The output of these commands in text format and encoded with CODE tags is a good start:
pveversion -v
uname -a
uptime
systemctl list-units --failed
systemctl status pve-cluster
systemctl status corosync
systemctl status pvedaemon
systemctl status pveproxy
systemctl status pvestatd
journalctl -b -p err
journalctl -u pve-cluster -b
journalctl -u corosync -b
journalctl -u pvedaemon -b
journalctl -u pveproxy -b
journalctl -u pvestatd -b
pvecm status
pvecm nodes
lsblk
df -h

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox