After vSphere 6.0 upgrade - remote certificate is invalid

[Craigb]

After upgrading the vsphere vCenter server from 5.5.2 to 6.0.0 (which did automatically upgrade the SSL certificates) backups and restores from veeam b&r 8.0.0.2 fail when tested.

The backup details show:
- Task failed Error: The remote certificate is invalid according to the validation procedure.

A restore attempt shows the following when attempting to expand the VC node:
- Failed to login to "myVC" by SOAP, port 443, user "myVC\admin_account", proxy srv: port:0
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.

<side_issue> tried upgrading the vsphere client (exe) on the b&r host to trick SSL, that didn't help </side_issue>

Ok.. so..
* In VeeamB&R -> "Backup Infrastructure", drill down the offered tree +Managed servers + VMware vSphere + vCenter Servers + myVC.
* right click on myVC and select menu item "properties"
.. 'Name' page .. leave alone
(b)"Next"
.. 'Credentials' page..
(b)"Next"
now this looks good.. "an untrusted certificate is installed on "myVC" and secure communication cannot be guaranteed. Connect to this server anyway?
(b)"Connect"
bit of connecting and saving server configuration going on.. then done
..'Summary' page.
shows a summary that includes "Host info: VMware VCenter Server 5.5.0 build-2183111" which I think is odd since the whole issue stems from the upgrade to 6.0.0 and the build shown there is 2656760.
(b)"Finish"

ps: "myVC" is my vCenter server, mine isn't actually called that and I doubt yours is either.

Test a restore of an 'incidental' machine.. I can now browse past the VC node of the Hosts and Clusters tree which was my initial stopping point so I'll cancel the restore wizard and test a backup.

Backup and Replication -> jobs -> Backup -> cbdev.. [RMB] start ...success !!

It's been a bit of a day, I hope this info helps someone.

[foggy]

Craig, thanks for sharing this with the community! Much appreciated.

[trl-london]

Thanks for taking the time to share that.

You have just saved several hours of my Friday night working through the problem.

Much appreciated.

[gurneetech]

Thank you, this helped me as well. Steps where identical to what I saw, including the vCenter version cosmetically listing at v5.5.

[etb]

Thx bud, this fixed it.

[ryanworrell]

Thanks for sharing!

[DaveBristolIT]

Confirmed: Also works with Standalone ESXi hosts

[chjones]

I had the same issue after replacing all certificates with ones signed by our internal Microsoft Enterprise Root CA, a rescan of vCenter would fail along with backups and restores due to certificate errors. I did the same thing, just edit the vCenter Server within the B&R Console and click Next thru the entire wizard, then click Finish. It's almost too easy. Then I did a rescan of vCenter and it was all good.

It should be a good habit of all B&R admins that whenever you change anything at all with vCenter, storage infrastructure or proxies you should always rescan that infrastructure within the B&R console. I do this religiously and it solves problems before they become real issues.

[tinto1970]

* In VeeamB&R -> "Backup Infrastructure", drill down the offered tree +Managed servers + VMware vSphere + vCenter Servers + myVC.
* right click on myVC and select menu item "properties"
.. 'Name' page .. leave alone
(b)"Next"
.. 'Credentials' page..
(b)"Next"
now this looks good.. "an untrusted certificate is installed on "myVC" and secure communication cannot be guaranteed. Connect to this server anyway?
(b)"Connect"
bit of connecting and saving server configuration going on.. then done
..'Summary' page.
shows a summary that includes "Host info: VMware VCenter Server 5.5.0 build-2183111" which I think is odd since the whole issue stems from the upgrade to 6.0.0 and the build shown there is 2656760.
(b)"Finish"

hi, this was useful even after a certificate regeneration performed on a VCSA.

[AnnaR]

Thanks for the info! Fixed my issue.

[rschuiling]

Yep, same here after I changed the certifcate of the VCSA for Citrix integration .......
Followed your steps and it was solved. Thanks !!
Will also religiously rescan Veeam infrastructure

[cminias]

Craig you are awesome. Not only you figured out an obscure error, but you took the time to post it (and save my day).
Thank you!

[Terrh]

Saved me a whole bunch of pain too - Let me add my thanks too!

[gtaylor85]

This helped me today. Thank you for sharing.

[straycur]

Thx for the helpful post. Certs broke in Veeam after our cert manager updated them.

To fix them all I had to do was drill into Backup Infrastructure -> VMware server, touch Credentials (without changing them) and Finish the configuration
VMs started backing up successfully again for both running jobs, and failed jobs that I retried just 45 minutes after I first saw the failures.

Quick easy solution to something that could have been long and painful.

[mckaj]

+1 on the community kudos meter for this one.

I managed to trigger this one by doing a clone migration of a vcenter appliance from one host to another in a small Essentials environment.

Have also added "rescan everything" after touching anything to my best practices bundle.

Thanks Craig, and others for comments.

Cheers
Andrew

[techgal64]

Thanks for this information! My backups had been working fine but I made changes to my vCenter appliance; changed the location of core and log files to a NFS share.

Followed your instructions and I am back in business.

[mdornfeld]

Thank you! Helped us out today.

[nreutemann]

Works too after upgrading from vCenter 5.1 to 5.5

Thanks!

[lmayorgas]

It worked fine for me too. Thanks a lot!

[IonutN]

HI,

is there any programmatic way to do this?
we have 30 BRS servers, and 30 vcenters, and we have a partial mesh topology.
so doing this a few hundred times a year looks rather daunting and pointless.

Also I'm not sure I understand why this is happening.
we have PKI issued certificates and the windows servers where B&R runs trust the certificate issued to vcenter.
is there any to add the root CAs to Veeam certificate store or something?

[BackerML]

Thank you so much for posting this. Saved me so much frustration! I saw all my backups fail and thought to myself "Today is gonna suck..." Thanks again!

[slash24]

Thank you for this... saved me a ton of time!

[lukasos]

Nice one, thanks
Had a problem after upgrading ESXI to 6.5 and this fixed it.

[ARHT]

Excellent - your brain worked hard so mine didn't have to. Cheers for that!
In this instance I created my own problem after upgrading V B&R to 9.5 u3a and [the next day] VCentre to 6.7 [from 6.5]. I haven't updated the hosts yet. Fiddling with Vcentre and Update Manager I came across cert issues which I thought I'd 'refresh' to see if that fixed the alerts I was seeing. Broke Veeam... If you have this issue pay attention to which certs have caused the issue: if on VCentre then run through credential re-save as OP instructed via 'BackUp Infrastructure', if on host/s then same process but through 'Inventory' on each affected host.

[souperstar]

We had this issue on the latest version of VB&R (9.5.0.1922) - but only after migrating vCenter to its latest version (6.5 > 6.7.0 build 9433894). Thank you for the post!

[cividan]

Ran into the same problem after replacing the certificate when upgradading from 6.0 to 6.7 and your solution fixed the problem.
Thanks alot!

[vijayG]

It works for me.

Thanks for sharing

[gparker]

Thanks, this worked for me too

[Berkovska]

This should be a KB - worked flawlessly.
Thank you!