Failed to retrieve certificate when connecting to AWS Snowballl Edge Device

[antspants7777]

Veeam Case #07608489

Hi everyone,

I'm looking for guidance for connecting AWS Snowball Edge to Veeam B&R 12.3

We have recently configured an AWS Snowball Edge Device in our Datacentre.
All connectivity & keys etc have been confirmed.

When we attempt to create repository for the Snowball Edge device using
- Add Backup Repository
- Object Storage
- Hyperscalers
- Amazon S3
- AWS Snowball Edge

Then use the IP of the device as the service endpoint (172.16.xxx.xxx)
And the confirmed Access key & Secret Key

We get the following error
Failed to retrieve certificate from https://172.16.xxx.xxx
(NB: This does not reference AWS endpoints like in https://www.veeam.com/kb4328)

I am unable to locate the
- CRL Distribution Points
- Authority Information Access

As per kb4328, but can connect to all of the following URLs and tested CRL retrieval successfully, as per
https://www.veeam.com/kb3215

Have confirmed that the Veeam B&R server does not have any external blocking for any ports and the firewall logs show successful connections to AWS URLs

The relevant lines from the Satellite_Console.log file are

Failed to check S3 service point (ServicePoint='https://172.16.xxx.xxx', TrustedCertificate='00000000-0000-0000-0000-000000000000')
Failed to retrieve certificate from https://172.16.xxx.xxx (Veeam.Backup.Model.CPublicCloudCertificateException)

[Mildur]

Hello Tony

I replaced your contract number with the case number.
The case was opened 30 min before this topic. Please give our customer support team some time to investigate the issue.
Unfortunately we won't be able to check and investigate log files through this forum.

Best,
Fabian

[antspants7777]

Thanks Fabian
An update is that it looks like a connection issue, as whatever IP or Port I use, it has the same certificate error

The ports i have tried are
https://172.16.xxx.xxx:8443, 8080 etc.

I can ping this from the backup server and connect via a web browser, SnaowballEdge and OBs clients from the backup server

[antspants7777]

After the registry setting which allows Veeam to connect with HTTP connections in the registry was configured
SOBRArchiveS3DisableTLS – DWORD – Value = 1

We were able to connect via HTTP on Port 8080
Customer was ok with this, as all traffic was internal

We were able to connect to HTTPS via the AWS CLI
Which required both the secret & a certificate (Referred to a CA Bundle)
And as we ran out of time and couldn't work out how to connect via combined cert & secret, we stayed with HTTP

Got certificate using this
snowballEdge list-certificates --profile profile-name
snowballEdge get-certificate --certificate-arn arn:aws:snowball-device:::certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --profile profile-name
Copied this to a .pem file

And connected via AWS CLI
(But not from Veeam)
https://blog.searce.com/internals-of-sn ... 4a55960b64