09 July 2026

`apt` on a no-subscription Proxmox host: the 401, and installing around it

A quick one, because it bites everyone who runs Proxmox without a subscription and it's not obvious the first time. You go to install something, and apt falls over before it does anything useful:

E: Failed to fetch https://enterprise.proxmox.com/debian/pve/dists/bookworm/InRelease  401  Unauthorized
E: The repository 'https://enterprise.proxmox.com/debian/pve bookworm InRelease' is not signed.

That's the enterprise repository, which needs a paid subscription key. Without one it returns 401, and because apt-get update exits non-zero, anything that runs update first — including a lot of vendor install scripts (curl ... | sh) — aborts before installing your actual package. Maddening, because the package you wanted may have nothing to do with Proxmox at all.

The quick way through (one package)

apt-get install uses the package lists already on disk; it doesn't insist on a fresh update. So if the lists for the repo you need were fetched at all, just install directly and let the enterprise 401 be someone else's problem:

DEBIAN_FRONTEND=noninteractive apt-get install -y <package>

That got a third-party tool onto a box for me even with the enterprise repo still throwing 401s in the background.

The proper fix (do this once)

If you're genuinely running no-subscription, switch to the no-subscription repo — that's the supported free channel, and crucially it's where pve-headers live (which you'll want the moment you build a DKMS module):

echo "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" \
  > /etc/apt/sources.list.d/pve-no-subscription.list
# and disable the enterprise list so update stops erroring:
# comment out the line in /etc/apt/sources.list.d/pve-enterprise.list
apt-get update
apt-get install -y pve-headers-$(uname -r)

(There's also a ceph enterprise list that 401s the same way if you use Ceph — same treatment.)

Notably, none of this requires turning off the enterprise repo to install around it in a pinch — but for a box you'll keep, sort the sources out properly so update is clean and DKMS rebuilds don't surprise you after a kernel bump.

I hope this saves you the head-scratching. Enjoy!

No comments:

Post a Comment