Hello,
I have compatible S3 storage on premise, with 4 dedicated gateway server on the same location.
On a backup copy job of 700VMs, I very regularly get "Failed to retrieve certificate" errors on some VM. I work with the logs, and I noticed that the gateways cannot reach certain CRL URLs via HTTP, which is normal, we block the flows in firewall.
Why, despite the fact that the gateways cannot validate the certificate, do some backup copy VMs end up successful and others do not?
I would like to say that we have forced the use of 4 gateways with no internet access on the S3 repository.
VBR Server can access internet on port TCP 80/443.
thank you
Alexandre
-
AlexandreD
- Service Provider
- Posts: 48
- Liked: 2 times
- Joined: Jan 22, 2019 4:21 pm
- Full Name: ALEXANDRE D
- Location: Reims, France
- Contact:
-
david.domask
- Veeam Software
- Posts: 2233
- Liked: 541 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Job to S3 Failed to retrieve certificate from ..
Hi Alexandre,
Sorry to hear about the challenges with the backup copy job. I'm afraid we won't be able to explain the difference here on the forums as it will require log review, so please open a Support Case as noted when creating a topic and allow the Support team time to review the issue. Be sure to include logs from the affected jobs for Support to review. (Use the 1st radio button and select the affected jobs. Hint: you can use ctrl+click or shift+click to select multiple)
There is a registry value/configuration value that I suspect was implemented for you at some point:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ObjectStorageTlsRevocationCheck
Value Type: DWORD (32-Bit) Value
Value Data: 0
For Linux-based Gateway servers, add the following entry to the /etc/VeeamAgentConfig file:
ObjectStorageTlsRevocationCheck=0
Note: Prior to Veeam Backup & Replication 12, this setting was named S3TLSRevocationCheck.
It's possible that this will help, but I would advise let Support check the issue first and confirm the details. Thanks!
Sorry to hear about the challenges with the backup copy job. I'm afraid we won't be able to explain the difference here on the forums as it will require log review, so please open a Support Case as noted when creating a topic and allow the Support team time to review the issue. Be sure to include logs from the affected jobs for Support to review. (Use the 1st radio button and select the affected jobs. Hint: you can use ctrl+click or shift+click to select multiple)
There is a registry value/configuration value that I suspect was implemented for you at some point:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ObjectStorageTlsRevocationCheck
Value Type: DWORD (32-Bit) Value
Value Data: 0
For Linux-based Gateway servers, add the following entry to the /etc/VeeamAgentConfig file:
ObjectStorageTlsRevocationCheck=0
Note: Prior to Veeam Backup & Replication 12, this setting was named S3TLSRevocationCheck.
It's possible that this will help, but I would advise let Support check the issue first and confirm the details. Thanks!
David Domask | Product Management: Principal Analyst
-
Andreas Neufert
- VP, Product Management
- Posts: 7121
- Liked: 1525 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Job to S3 Failed to retrieve certificate from ..
CRL URLs are typically provided within HTTP and you should allow this to fix the issue, not workaround by adding the reg key to force us to ignore the (timout) issue. Depending on the bandwidth available, you might see even way faster processing because we do not run into the timeout waits.
In the internet you can read why this is the case and even Microsoft Crypto API that we use is even ignoring HTTPS URLs for CRLs.
In the internet you can read why this is the case and even Microsoft Crypto API that we use is even ignoring HTTPS URLs for CRLs.
Who is online
Users browsing this forum: No registered users and 14 guests