Any Proxmox Gurus Present? noVNC Constant Reconnection + SSL Issue

Proxmox is driving me fucking nuts last night and today…

noVNC isn’t working correctly and it has something to do with the certs. I was pretty sure that everything was kosher before I deployed a LE cert in place of the self generated ones. But ever since then, I’ve had a issue where any VNC console you open will refresh and reconnect every few seconds, making anything you’re doing infeasible.

After deploying the LE certs, I get this error in my logs –

pveproxy[1775]: problem with client; ssl3_read_bytes: sslv3 alert bad certificate

But if I delete my LE certs and use the self-generated certs (via pvecm updatecerts -f), I still have the VNC issue and see this error instead.

pveproxy[3585]: problem with client; ssl3_read_bytes: tlsv1 alert unknown ca

Proxmox help forums are failing me. Some people just re-gen their certs and it works again, some people try a different browser and clear cache and it works again, some topics don’t have any solutions. I’m 10 seconds away from just saying fuck it and reinstalling the OS again. I have a feeling it’s something to do with Proxmox being installed over top of Debian and some underlying incompatibility at play here. But that was my only option since you can’t use RAID in the Proxmox ISO installation without ZFS.

Any ideas for me to try?

1 Like

I can’t imagine that’s the issue, I always install Proxmox over Debian. With that being said, Proxmox’ web interface can be a real pain. If there’s nothing to lose, I would try doing a fresh install.

1 Like

Just tedious to reinstall and reconfigure everything, plus I have 4 client VMs that I’ll have to remigrate. But in the end it’ll probably save me more time by just doing a reinstall rather than fighting with this any more.

1 Like

If you’re unable to find much through the forums etc. then I I would just reinstall. Given how much time you’ve already sunk into it, it might just be easier haha.

1 Like

Yeah, I’m thinking the same.

I’ve found plenty of people with the same issue on the Proxmox forum, but no solutions worked. Tried a dozen times to remove the LE certs and use Proxmox generated ones and vice-versa. I’ve confirmed the cert itself is valid. I’ve tried a plethora of different browsers w/ incognito sessions. The node itself has been rebooted. Services have been restarted a hundred times. Nothing has worked.

I guess reinstall it is! :stuck_out_tongue:

1 Like

Are you using the fullchain certificate?


Yep, I’ve always used this script to deploy and renew the LE cert:

service nginx stop
certbot certonly --standalone --agree-tos --email {} -d {}
rm -rf /etc/pve/local/pve-ssl.pem
rm -rf /etc/pve/local/pve-ssl.key
rm -rf /etc/pve/pve-root-ca.pem
cp /etc/letsencrypt/live/{}/fullchain.pem /etc/pve/local/pve-ssl.pem
cp /etc/letsencrypt/live/{}/chain.pem /etc/pve/pve-root-ca.pem
cp /etc/letsencrypt/live/{}/privkey.pem /etc/pve/local/pve-ssl.key
service pveproxy restart
service pvedaemon restart
service nginx start

I also tried to use the new built-in ACME cert manager as well to “order” and auto-deploy the certs. End result is always the same (one of the two errors above).

Yeah, looks like it’s incomplete.

mrowe@us1:~$ sudo openssl s_client -connect {}:8006
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = {}
verify return:1
Certificate chain
 0 s:/CN={}
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
SSL handshake has read 3692 bytes and written 269 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FFB2218B6A7AC5FD02DD80313EDB64B182318FC37EF83B1987AB830E32D01588
    Master-Key: BDDB78BEC4E3017A9CC45FA7D9E976331B97CBDF6EED3B51E6CADC532456F5DF315DC52EDEB49C1097DEA81A49D2FF2F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ba 69 24 b3 71 d1 d3 42-3e 04 1f 71 c2 92 95 8b   .i$.q..B>..q....
    0010 - f6 1b 5e 82 57 ce 2d a6-35 ed 3e cd 83 12 97 67   ..^.W.-.5.>....g
    0020 - c6 06 8b 3a b8 3e ba 89-b5 0b eb a1 49 ce 9b f2   ...:.>......I...
    0030 - 2c 28 45 c7 42 7d 42 98-1f 55 2a b3 db 70 fd c6   ,(E.B}B..U*..p..
    0040 - 01 d8 82 ee 0d bb 8d b8-86 67 d4 b9 8d b5 bd 90   .........g......
    0050 - 03 f5 7e 85 c5 87 dd 1c-5e 61 fc 05 28 3a 58 cd   ..~.....^a..(:X.
    0060 - 23 1b 2c 83 f5 c5 d6 60-07 c5 2b 18 9d 4e 64 37   #.,....`..+..Nd7
    0070 - 60 e5 a0 c2 37 f6 6a 1b-d9 ea 47 09 39 12 85 ad   `...7.j...G.9...
    0080 - 7d 4b a9 0a 32 7c 99 37-ec 69 ec bb 24 93 1d 4b   }K..2|.7.i..$..K
    0090 - 66 11 07 67 c1 2a a7 40-7e 6a 0e 77 54 c1 47 55   f..g.*.@~j.wT.GU

    Start Time: 1559156608
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

Cert looks fine to me. SSL handshake succeeds.

Wait a second, I had a brainfart. Fix your damn settings. You don’t want SSLv3.

SSLProtocol             all -SSLv2 -SSLv3

And how do I do that in Proxmox settings? Not using any reverse proxies at the moment.

I gave up on Proxmox and went raw KVM years ago because I didn’t like it. It’s a 5 year old post, but start here:

1 Like

That’s what I’m seeing in their git too, but on both my proxmox installs, /etc/default/pveproxy doesn’t exist.

Edit: and /usr/bin/pveproxy doesn’t have anything relating to SSL.

I also installed Proxmox on top of Debian.


Looks like they moved it to:

Added “sslv3 => 0” and the new “cipher_list” to the ssl block. But the issue persists :frowning: Cleared cookies/browser data, tried incognito mode, tried completely different browser. Still getting the sslv3 error.

1 Like

Did you do systemctl restart pveproxy?

1 Like

Yep. Restart both pvedaemon & pveproxy for safe measure after every config change.

1 Like

Seems I may have spoke too soon. VNC is currently stable and I’m not seeing the errors anymore. Going to monitor it for the next couple days, but fingers crossed that something I did fixed it or it just needed time to sort itself out.


Use nginx as proxy, do not bother with the proxmox webserver.


Spoken like a true Python dev.


The Python programmer’s creed when shit magically starts working again.

Especially for machine learning shit because… here be dragons

1 Like