Title: WebAuthn "no webauthn configuration available" — Fresh 8.4.1 install, previously worked
Hi all,
I'm trying to enable WebAuthn passkey login for a single user (`root@pam`) on a fresh install of Proxmox VE 8.4.1. This setup worked perfectly last week — same hardware, same domain, same proxy config — but now I consistently get the error:
Goal
Setup
What I’ve Tried
- Created
Verified ownership:
- Restarted:
- Installed required Perl module:
- Cleaned up
- Removed all TOTP configs (no :totp or :x: flags in
- Tried enabling WebAuthn in GUI under:
Datacenter → Permissions → Realms → pam → TFA
(no effect — origin field never appears)
- Log output
Fixed after correcting
Even after all this, still getting:
Notes
- Exact same config worked a week ago (Touch ID WebAuthn)
- This is a single-node system, no cluster
- Fully valid HTTPS + DuckDNS + proper certs
- WebAuthn module is present and working in Perl
Ask:
What else can I check to get Proxmox to recognize `tfa.json`?
Is there a change in 8.4.1 that requires additional WebAuthn configuration?
Is there a known way to force backend reload of the config?
Happy to post logs, debug output, or minimal repro.
Thanks!
— Chance?
Hi all,
I'm trying to enable WebAuthn passkey login for a single user (`root@pam`) on a fresh install of Proxmox VE 8.4.1. This setup worked perfectly last week — same hardware, same domain, same proxy config — but now I consistently get the error:
Goal
- Enable passkey login (Touch ID via Safari on macOS)
- Use valid HTTPS (Let's Encrypt cert via Caddy reverse proxy)
- Access over DuckDNS (public domain with internal routing)
- No TOTP or fallback 2FA — passkey-only login for `root@pam`
Setup
- Proxmox VE 8.4.1 (clean install, not upgraded)
- Caddy reverse proxy using Let’s Encrypt certificate:
Code:butch-proxmox.duckdns.org { reverse_proxy 127.0.0.1:8006 encode zstd gzip log { output file /var/log/caddy/proxmox-access.log format json } } - DuckDNS domain: https://<redacted>.duckdns.org
- HTTPS verified, no issues with cert trust in browser
- Touch ID working for other WebAuthn sites
- macOS client; also tested Chrome with local DNS override
What I’ve Tried
- Created
/etc/pve/priv/tfa.json with:
Code:
{
"webauthn": {
"origin": "https://<redacted>.duckdns.org"
}
}root:www-data, permissions 600- Restarted:
Code:
systemctl restart pveproxy
systemctl restart pvedaemon
systemctl restart pvestatd- Installed required Perl module:
Code:
apt install cpanminus build-essential libssl-dev libperl-dev
cpanm Authen::WebAuthn
perl -MAuthen::WebAuthn -e 1- Cleaned up
/etc/pve/domains.cfg:
Code:
pam: pam
comment Linux PAM standard authentication- Removed all TOTP configs (no :totp or :x: flags in
/etc/pve/user.cfg)- Tried enabling WebAuthn in GUI under:
Datacenter → Permissions → Realms → pam → TFA
(no effect — origin field never appears)
- Log output
journalctl -u pveproxy -f showed (before fix):
Code:
file /etc/pve/domains.cfg line 4 (skip section 'pam'): unsupported type 'realm'realm: pam → pam: pamEven after all this, still getting:
Notes
- Exact same config worked a week ago (Touch ID WebAuthn)
- This is a single-node system, no cluster
- Fully valid HTTPS + DuckDNS + proper certs
- WebAuthn module is present and working in Perl
Ask:
What else can I check to get Proxmox to recognize `tfa.json`?
Is there a change in 8.4.1 that requires additional WebAuthn configuration?
Is there a known way to force backend reload of the config?
Happy to post logs, debug output, or minimal repro.
Thanks!
— Chance?
