Unable to connect to Nutanix cluster from VBR

[JaySt]

Hi,

Support case #05980400 , but i though i might try here as well.

I'm using the latest Veeam v12 release and AHV plugin and i try to add a Nutanix cluster (running Nutanix version 6.5.2.5 LTS) to VBR infrastructure. At the point when i've entered my cluster fqdn and selected my credentials (a local user on the cluster with admin role assigned), the console displays an error and refused to connect. The error states the account is "unauthorized". However, that's not the case.
Veeam.AHV.PlatformSvc.log shows Veeam tries to connect to the cluster REST API endpoint https://fqdn:9440/PrismGateway/services ... .0/cluster but gets a 401 (unauthorized) returned. After that, the log lines show a "certificate validation error", probably caused by the 401. The cluster is using a certificate issued by an internal CA.

When opening the web GUI at https://fqdn:9440 on the VBR itself , no issues or messages are displayed. Certificate is properly accepted by the browser. Logging in with the exact same credentials works fine using a browser. Browsing to the API endpoint after authenticating with the browser on the VBR server is working fine too. Cluster info is dumped to JSON.

I also wrote an powershell script to connect to the API using the username/password combination that VBR would also use to add the cluster to the console. Powershell script runs fine on the VBR server, no connectivity issues whatsoever, certainly no 401-scenario's. The powershell script only gets the 401 when i would put in the wrong credentials.

so i'm a bit lost here and question what to do. I've checked all my connectivity, verified all on the VBR server, but Veeam won't connect to the API.
i have some suspects: either(1) Veeam fails to authenticate due to wrongly connecting to the API because it does something wrong with the credentials retrieved from the database or connecting to the API in a way that fails authentication(resulting in a 401). Or (2) Veeam VBR(and AHV plugin) don't like the internal CA issued certificate somehow (as there is a KB about this, but only for a scenario letting the appliances connect to the cluster, i'm not there yet).

VBR is installed on Windows Server 2022, so no TLS Cipher support issues. All should be supported.
I've checked with openssl.exe cli to connect to the API endpoint, no issues, all good.

any tips? Support wants to try to remove the certificate from the cluster and try to connect VBR when a selfsigned certificate is in place on the cluster and later switch it back and explicitly make the cert known on the then deployed Veeam proxy appliances etc. But that's not something i look forward doing and doesnt make a lot of sense.

[ronnmartin61]

Have you checked out https://www.veeam.com/kb4433?

[JaySt]

Yes, i saw that one and thats why i started doubting the internal CA cert. But the appliance has not even been deployed, so the Kb does not really apply that well. Im still at the very first step of connecting to the cluster from VBR, so thats all i got.

[JaySt]

I switched the cluster to self signed cert and retried. Worked right away. So after all, it was something with the cert.
I now have to test the procedure in the mentioned KB after i switch back to the internal CA issued certificate on the cluster. It will probably go fine after that.
Not sure what scenarios in the future would require me to do this again. I hope it can be fixed somehow by Veeam (if it's even a Veeam issue....)

[JaySt]

just got an update from support. Seems QA department found the root cause of this issue and it will be fixed in one of the next builds.

[arogarth]

Thanks, same here - Workaround is to add cluster by IP Address

[JaySt]

not in my case. tried that.