Re: [PVE-User] install pve-enterprise (with subscription key) on top of debian install - DERUMIER, Alexandre via pve-user

From: "DERUMIER, Alexandre via pve-user" <pve-user@lists.proxmox.com>
To: "pve-user@lists.proxmox.com" <pve-user@lists.proxmox.com>
Cc: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
Subject: Re: [PVE-User] install pve-enterprise (with subscription key) on top of debian install
Date: Wed, 22 Oct 2025 10:22:47 +0000	[thread overview]
Message-ID: <mailman.188.1761128606.362.pve-user@lists.proxmox.com> (raw)
In-Reply-To: <72c56ba2-b60e-4c50-b83b-68da819d7784@gilouweb.com>

[-- Attachment #1: Type: message/rfc822, Size: 17464 bytes --]

From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-user@lists.proxmox.com" <pve-user@lists.proxmox.com>
Subject: Re: [PVE-User] install pve-enterprise (with subscription key) on top of debian install
Date: Wed, 22 Oct 2025 10:22:47 +0000
Message-ID: <87b62e3475d6befe15a387e1d35d6aae44151ca2.camel@groupe-cyllene.com>

Thanks Gilou ! 

(I'm going to use ansible for this setup deployment,  no puppet :p )

I'm using it for hardening
https://github.com/ansible-lockdown/DEBIAN12-CIS

so, I'll add deploy && tuning of proxmox too.

See you at Fosdem !

-------- Message initial --------
De: Gilou <contact+dev@gilouweb.com>
Répondre à: Proxmox VE user list <pve-user@lists.proxmox.com>
À: pve-user@lists.proxmox.com
Objet: Re: [PVE-User] install pve-enterprise (with subscription key) on
top of debian install
Date: 22/10/2025 03:19:42

Le 16/10/2025 à 12:05, DERUMIER, Alexandre via pve-user a écrit :
> Hi,
> 
> I'm currently working on a hardened pve installation for CIS
> certification, and as it need luks encryption + specific partionning,
> I need to install it on top of a debian install.
> 
> I would like to deploy pve-enterprise repo directly, but how can I do
> it on top of debian ?
> 
> The wiki said to install no-subscription first, then switch to
> enteprise after uploading the key in the gui
> https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aPE86c9l
> _NoW4_35ZkzMrkRr2MW_BjbnDTswuy0AwOve3AOvphs1mSlvmN7amrdGSQ&i=SGI0YVJG
> NmxZNE90Z2thMHUqf210Bsg_fKIWrGzx11E&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYaKp
> fBJeBDlAX9E2aicRCRO3qsFIBX9zb4pDqGdxG45MOoGKkZ3R8w3DjSjAvqYgRg&s=ed00
> ffb3fa787e4023c0aba95836088c08aaa9676b5e2d10613ab1260804b8c9&u=https%
> 3A%2F%2Fpve.proxmox.com%2Fwiki%2FInstall_Proxmox_VE_on_Debian_12_Book
> worm
> 
> But that mean than more recent packages could be pushed from no-
> subscription first.
> 
> Is is possible to put the key somewhere in/etc/apt/ ?
> 
> Alexandre

Hi,

It's been a while since I've had to do such things.. but here goes..

Unless you have an offline key, you'll need to register the server 
first, so that the server ID (hex version of the md5 hash of the SSH
RSA 
key) is allowed.
Basically, as you can see in proxmox-subscription/src/check.rs:
you need to call:
https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aPE86c9l_N
oW4_35ZkzMrkRr2MW_BjbnDTswuy0AwOve3AOvphs1mSlvmN7amrdGSQ&i=SGI0YVJGNmxZ
NE90Z2thMHUqf210Bsg_fKIWrGzx11E&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYaKpfBJeBD
lAX9E2aicRCRO3qsFIBX9zb4pDqGdxG45MOoGKkZ3R8w3DjSjAvqYgRg&s=c8a0cb214ea1
5d84f14072c9cfb91451ab6f5c8a5367adc430eab7e679b070c4&u=https%3A%2F%2Fsh
op.proxmox.com%2Fmodules%2Fservers%2Flicensing%2Fverify.php
with that JSON (challenge is epoch time + random string) :
{
         "licensekey": key,
         "dir": server_id,
         "domain": "www.proxmox.com",
         "ip": "localhost",
         "check_token": challenge,
}

Then either you re-register/check it once you have the API available,
or 
you try to write a valid /etc/subscription file..

Otherwise, it's "simple", you can get the info on a running server:
/etc/apt/auth.conf.d/pve.conf
machine enterprise.proxmox.com/debian/pve
login server_id
password server_key

Set the proper enterprise repos, and it should work, if the server ID
is 
registered...

This might be interesting to have in the ansible role lae.proxmox (that
you'll probably despise, given your love for ansible HAHA) as well, as 
the only supported scenario for now there is to.. remove the enterprise
repos.. either have a curl command to register the server id and
compute 
/etc/subscription, or a tool (pvesubscription) to wrap that Rust API in
Debian..

Cheers,
Gilou

_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aPE86c9l_N
oW4_35ZkzMrkRr2MW_BjbnDTswuy0AwOve3AOvphs1mSlvmN7amrdGSQ&i=SGI0YVJGNmxZ
NE90Z2thMHUqf210Bsg_fKIWrGzx11E&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYaKpfBJeBD
lAX9E2aicRCRO3qsFIBX9zb4pDqGdxG45MOoGKkZ3R8w3DjSjAvqYgRg&s=faee9ce2e044
e17613a395871950698d1e48cb3131c4054a7ed46b8baa3e1cee&u=https%3A%2F%2Fli
sts.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-user

[-- Attachment #2: Type: text/plain, Size: 157 bytes --]

_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user