[GH-ISSUE #65] SSL error when using API Token authentication #34

New issue

Closed

opened 2026-02-27 15:46:06 +03:00 by kerem · 4 comments

kerem commented 2026-02-27 15:46:06 +03:00

Owner

Copy link

Originally created by @therealscienta on GitHub (Sep 3, 2021).
Original GitHub issue: https://github.com/proxmoxer/proxmoxer/issues/65

I get the following errors when trying to use API Token authentication. The token is generated as root without privilege separation. The same error shows when using password authentication and ssl_verify=True, but not when False. The SSL cert is Proxmox default.

Running Python 3.9.5
proxmoxer 1.1.1
requests 2.26.0
requests-toolbelt 0.9.1
paramiko 2.7.2

The code I run:

from proxmoxer import ProxmoxAPI

host = '10.10.3.2'
proxmox = ProxmoxAPI(host, 
		user='root', 
		token_name='testtoken', 
		token_value='a2f1e4f6-5936-4eee-b6a2-851e67b97b0c')

print(proxmox.nodes.get())

The error:

Traceback (most recent call last):
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\util\ssl_.py", line 432, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\util\ssl_.py", line 474, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "C:\Program Files\Python39\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Program Files\Python39\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\Program Files\Python39\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\adapters.py", line 439, in send
    resp = conn.urlopen(
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\util\retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.10.3.2', port=8006): Max retries exceeded with url: /api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\Logan\Nextcloud\Arbete\Code\Proxmox\proxmox_talk.py", line 21, in <module>
    nodes = proxmox.nodes.get()
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\proxmoxer\core.py", line 105, in get
    return self(args)._request("GET", params=params)
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\proxmoxer\core.py", line 85, in _request
    resp = self._store["session"].request(method, url, data=data or None, params=params)
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\proxmoxer\backends\https.py", line 178, in request
    return super(ProxmoxHttpSession, self).request(method, url, params, data, headers, cookies, files, auth,
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.3.2', port=8006): Max retries exceeded with url: /api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
[Finished in 208ms]

Originally created by @therealscienta on GitHub (Sep 3, 2021). Original GitHub issue: https://github.com/proxmoxer/proxmoxer/issues/65 I get the following errors when trying to use API Token authentication. The token is generated as root without privilege separation. The same error shows when using password authentication and ssl_verify=True, but not when False. The SSL cert is Proxmox default. Running Python 3.9.5 proxmoxer 1.1.1 requests 2.26.0 requests-toolbelt 0.9.1 paramiko 2.7.2 The code I run: ``` from proxmoxer import ProxmoxAPI host = '10.10.3.2' proxmox = ProxmoxAPI(host, user='root', token_name='testtoken', token_value='a2f1e4f6-5936-4eee-b6a2-851e67b97b0c') print(proxmox.nodes.get()) ``` The error: ``` Traceback (most recent call last): File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 699, in urlopen httplib_response = self._make_request( File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 382, in _make_request self._validate_conn(conn) File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 1010, in _validate_conn conn.connect() File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connection.py", line 411, in connect self.sock = ssl_wrap_socket( File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\util\ssl_.py", line 432, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls) File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\util\ssl_.py", line 474, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock) File "C:\Program Files\Python39\lib\ssl.py", line 500, in wrap_socket return self.sslsocket_class._create( File "C:\Program Files\Python39\lib\ssl.py", line 1040, in _create self.do_handshake() File "C:\Program Files\Python39\lib\ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\adapters.py", line 439, in send resp = conn.urlopen( File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\connectionpool.py", line 755, in urlopen retries = retries.increment( File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\urllib3\util\retry.py", line 574, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.10.3.2', port=8006): Max retries exceeded with url: /api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "C:\Users\Logan\Nextcloud\Arbete\Code\Proxmox\proxmox_talk.py", line 21, in <module> nodes = proxmox.nodes.get() File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\proxmoxer\core.py", line 105, in get return self(args)._request("GET", params=params) File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\proxmoxer\core.py", line 85, in _request resp = self._store["session"].request(method, url, data=data or None, params=params) File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\proxmoxer\backends\https.py", line 178, in request return super(ProxmoxHttpSession, self).request(method, url, params, data, headers, cookies, files, auth, File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\sessions.py", line 542, in request resp = self.send(prep, **send_kwargs) File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\sessions.py", line 655, in send r = adapter.send(request, **kwargs) File "C:\Users\Logan\AppData\Roaming\Python\Python39\site-packages\requests\adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.3.2', port=8006): Max retries exceeded with url: /api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))) [Finished in 208ms] ```

kerem 2026-02-27 15:46:06 +03:00

• closed this issue
• added the
  backend:https
  version:py3
  version:latest
  labels

kerem commented 2026-02-27 15:46:07 +03:00

Author

Owner

Copy link

@jhollowe commented on GitHub (Sep 7, 2021):

In that code, you are missing verify_ssl=False in your ProxmoxAPI() call. You will also need to add the realm (for root it is probably pam, so root@pam) to the user for it to properly authenticate.

I used the below code (after creating the "testtoken" API token under the "root@pam" user) and it successfully printed the node information.

from proxmoxer import ProxmoxAPI

host = '10.x.x.x'
proxmox = ProxmoxAPI(host,
		user='root@pam',
		token_name='testtoken',
		token_value='14870084-3cd5-4a40-b096-240ee8bef29d',
		verify_ssl=False)

print(proxmox.nodes.get())

If this solved your issue, please close the issue; if you have further questions, please ask!

<!-- gh-comment-id:914257091 --> @jhollowe commented on GitHub (Sep 7, 2021): In that code, you are missing `verify_ssl=False` in your ProxmoxAPI() call. You will also need to add the realm (for root it is probably pam, so `root@pam`) to the user for it to properly authenticate. I used the below code (after creating the "testtoken" API token under the "root@pam" user) and it successfully printed the node information. ```python from proxmoxer import ProxmoxAPI host = '10.x.x.x' proxmox = ProxmoxAPI(host, user='root@pam', token_name='testtoken', token_value='14870084-3cd5-4a40-b096-240ee8bef29d', verify_ssl=False) print(proxmox.nodes.get()) ``` *If this solved your issue, please close the issue; if you have further questions, please ask!*

kerem commented 2026-02-27 15:46:07 +03:00

Author

Owner

Copy link

@therealscienta commented on GitHub (Sep 8, 2021):

In that code, you are missing verify_ssl=False in your ProxmoxAPI() call. You will also need to add the realm (for root it is probably pam, so root@pam) to the user for it to properly authenticate.

I used the below code (after creating the "testtoken" API token under the "root@pam" user) and it successfully printed the node information.

from proxmoxer import ProxmoxAPI

host = '10.x.x.x'
proxmox = ProxmoxAPI(host,
		user='root@pam',
		token_name='testtoken',
		token_value='14870084-3cd5-4a40-b096-240ee8bef29d',
		verify_ssl=False)

print(proxmox.nodes.get())

If this solved your issue, please close the issue; if you have further questions, please ask!

Oh, I'm sorry. Of course I did try verify_ssl=False (and root@pam) and get the same result.

proxmox = ProxmoxAPI(host, 
					  user='root@pam', 
					  token_name='testtoken', 
					  token_value='a2f1e4f6-5936-4eee-b6a2-851e67b97b0c',
					  verify_ssl=True)

requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.3.2', port=8006): Max retries exceeded with url: /api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

If reading the source code correcly, it does not use that parameter at all:

class ProxmoxHTTPApiTokenAuth(ProxmoxHTTPAuthBase):
    def __init__(self, username, token_name, token_value, service):
        super(ProxmoxHTTPApiTokenAuth, self).__init__(service)
        if self.service == "PMG":
            logger.warning("PMG service does not support API Tokens")
        self.username = username
        self.token_name = token_name
        self.token_value = token_value

    def __call__(self, r):
        r.headers["Authorization"] = "{0}APIToken={1}!{2}={3}".format(self.service, self.username, self.token_name, self.token_value)
        return r

<!-- gh-comment-id:915418922 --> @therealscienta commented on GitHub (Sep 8, 2021): > > > In that code, you are missing `verify_ssl=False` in your ProxmoxAPI() call. You will also need to add the realm (for root it is probably pam, so `root@pam`) to the user for it to properly authenticate. > > I used the below code (after creating the "testtoken" API token under the "root@pam" user) and it successfully printed the node information. > > ```python > from proxmoxer import ProxmoxAPI > > host = '10.x.x.x' > proxmox = ProxmoxAPI(host, > user='root@pam', > token_name='testtoken', > token_value='14870084-3cd5-4a40-b096-240ee8bef29d', > verify_ssl=False) > > print(proxmox.nodes.get()) > ``` > > _If this solved your issue, please close the issue; if you have further questions, please ask!_ Oh, I'm sorry. Of course I did try verify_ssl=False (and root@pam) and get the same result. ``` proxmox = ProxmoxAPI(host, user='root@pam', token_name='testtoken', token_value='a2f1e4f6-5936-4eee-b6a2-851e67b97b0c', verify_ssl=True) ``` `requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.3.2', port=8006): Max retries exceeded with url: /api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))` If reading the source code correcly, it does not use that parameter at all: ``` class ProxmoxHTTPApiTokenAuth(ProxmoxHTTPAuthBase): def __init__(self, username, token_name, token_value, service): super(ProxmoxHTTPApiTokenAuth, self).__init__(service) if self.service == "PMG": logger.warning("PMG service does not support API Tokens") self.username = username self.token_name = token_name self.token_value = token_value def __call__(self, r): r.headers["Authorization"] = "{0}APIToken={1}!{2}={3}".format(self.service, self.username, self.token_name, self.token_value) return r ```

kerem commented 2026-02-27 15:46:07 +03:00

Author

Owner

Copy link

@jhollowe commented on GitHub (Sep 9, 2021):

In your example, you still have verify_ssl=True which will cause the given error if you are using the self-signed cert that comes default with PVE.

And the verify_ssl is used in the session and not the individual auth. If you look in the Backend class, you will see where it sets up the session with verify_ssl and selects the auth to use.

<!-- gh-comment-id:916117634 --> @jhollowe commented on GitHub (Sep 9, 2021): In your example, you still have `verify_ssl=True` which will cause the given error if you are using the self-signed cert that comes default with PVE. And the `verify_ssl` is used in the session and not the individual auth. If you look in the [Backend class](https://github.com/proxmoxer/proxmoxer/blob/2f9c81ee124becde06d90b6704336da04b432b6d/proxmoxer/backends/https.py#L198), you will see where it sets up the session [with `verify_ssl`](https://github.com/proxmoxer/proxmoxer/blob/2f9c81ee124becde06d90b6704336da04b432b6d/proxmoxer/backends/https.py#L221) and selects the auth to use.

kerem commented 2026-02-27 15:46:07 +03:00

Author

Owner

Copy link

@therealscienta commented on GitHub (Sep 9, 2021):

Yep, now it works. Maybe leave the coding when feeling under the weather...

Thank you for your help and thank you for this nice lib!

<!-- gh-comment-id:916397470 --> @therealscienta commented on GitHub (Sep 9, 2021): Yep, now it works. Maybe leave the coding when feeling under the weather... Thank you for your help and thank you for this nice lib!

kerem referenced this issue 2026-02-27 15:46:40 +03:00

[PR #34] [MERGED] Multi service support #147

kerem referenced this issue 2026-02-27 15:46:43 +03:00

[PR #69] [MERGED] Version 1.2.0 #160

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

release/2.3.0

develop-1.x

2.3.0

2.2.0

2.1.0

2.0.1

2.0.0

1.3.1

1.3.0

1.2.0

1.1.1

1.1.0

1.0.4

1.0.3

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

backend:https

  

backend:local

  

backend:openssh

  

backend:ssh_paramiko

  

pull-request

Mirrored from GitHub Pull Request

  

status:ansible-issue

  

status:help-wanted

  

status:info-needed

  

status:proxmox-issue

  

status:review-needed

  

type:bug 🐞

  

type:dependency ⛓️

  

type:docs 📝

  

type:enhancement ⏫

  

type:maintenance 🛠️

  

type:meta

  

type:question ❓

  

type:request ✋

  

type:testing 🧪

  

version:1.x

  

version:latest

  

version:py2

  

version:py3

No labels

backend:https

backend:local

backend:openssh

backend:ssh_paramiko

pull-request

status:ansible-issue

status:help-wanted

status:info-needed

status:proxmox-issue

status:review-needed

type:bug 🐞

type:dependency ⛓️

type:docs 📝

type:enhancement ⏫

type:maintenance 🛠️

type:meta

type:question ❓

type:request ✋

type:testing 🧪

version:1.x

version:latest

version:py2

version:py3

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/proxmoxer#34

No description provided.