From 72be883f4e8d657de39e053fb4d9472e5795dc70 Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Wed, 4 Mar 2026 23:47:54 +0000
Subject: [PATCH] fix(proxmox): prevent broken TLS config on auto-register
 fingerprint failure (#1303)

When FetchFingerprint fails during agent auto-registration, set verifySSL
based on whether a fingerprint was captured rather than hardcoding true.
Also heal already-broken nodes (verifySSL=true with empty fingerprint) on
legacy re-register to prevent permanent connection failures with self-signed
Proxmox certs.
---
 internal/api/config_handlers.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/internal/api/config_handlers.go b/internal/api/config_handlers.go
index 5cbb8c736..329ed1b54 100644
--- a/internal/api/config_handlers.go
+++ b/internal/api/config_handlers.go
@@ -5316,7 +5316,7 @@ func (h *ConfigHandlers) HandleAutoRegister(w http.ResponseWriter, r *http.Reque
 	// Create a node configuration
 	boolFalse := false
 	boolTrue := true
-	verifySSL := true
+	verifySSL := fingerprint != "" // Only enforce strict TLS when we have a fingerprint to verify against
 	nodeConfig := NodeConfigRequest{
 		Type:               req.Type,
 		Name:               req.ServerName,
@@ -5501,6 +5501,11 @@ func (h *ConfigHandlers) HandleAutoRegister(w http.ResponseWriter, r *http.Reque
 			if nodeConfig.Fingerprint != "" {
 				instance.Fingerprint = nodeConfig.Fingerprint
 			}
+			// Fix broken state: verifySSL=true with no fingerprint can never connect
+			// to self-signed Proxmox certs. Downgrade to insecure if no fingerprint. Refs: #1303
+			if instance.VerifySSL && instance.Fingerprint == "" {
+				instance.VerifySSL = false
+			}
 			// Update source if provided (allows upgrade from script to agent)
 			if req.Source != "" {
 				instance.Source = req.Source
@@ -5545,6 +5550,11 @@ func (h *ConfigHandlers) HandleAutoRegister(w http.ResponseWriter, r *http.Reque
 			if nodeConfig.Fingerprint != "" {
 				instance.Fingerprint = nodeConfig.Fingerprint
 			}
+			// Fix broken state: verifySSL=true with no fingerprint can never connect
+			// to self-signed Proxmox certs. Downgrade to insecure if no fingerprint. Refs: #1303
+			if instance.VerifySSL && instance.Fingerprint == "" {
+				instance.VerifySSL = false
+			}
 			// Update source if provided (allows upgrade from script to agent)
 			if req.Source != "" {
 				instance.Source = req.Source
@@ -5860,7 +5870,7 @@ func (h *ConfigHandlers) handleSecureAutoRegister(w http.ResponseWriter, r *http
 	} else {
 		fingerprint = fp
 	}
-	verifySSL := true
+	verifySSL := fingerprint != "" // Only enforce strict TLS when we have a fingerprint to verify against
 
 	existingTokenID := ""
 	existingTokenValue := ""