-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Enterprise manager and vsphere plugin
Hello,
1) I think I find an issue :
On my lab, I have an existing Veeam Enterprise manager latest version (migrate from previous version) and I use vcenter 8 GA (no U2).
When I try to setup the vsphere plugin, I select the custom role I create on vcenter + portal administrator and then I try to install it.
EM say me it's installed but on vcenter I can see an error : certificate doesn't support digital signature key usage.
I tried to perform the exact same task but this time with a new Enterprise manager and it works perfectly.
=> The issue is related to my EM server and not configuration or vcenter.
I decide to compare both certificate and they are not the same.
So, I decide to follow the step on this documentation to renew the certificate on my working EM server : https://helpcenter.veeam.com/docs/backu ... ml?ver=120
To generate a self signed certificate from IIS and now, installation doesn't work anymore.
Conclusion :
On new installation, EM create a self signed certificate with different option than you have when you create it from the IIS manager.
If you can reproduce my issue that means the documentation is wrong about it. It's not possible to use IIS with generate self signed certificate for vsphere plugin to work.
PS : Difference I notice on the certificate :
Not working : usage = remote computer authentication + all issuance policies
Working : usage = all application policies + all issuance policies
2) If I understand how I have to manage permission on the new EM architecture :
I need to add on EM all vsphere roles assigned to the users I want to be able to use the plugin ?
Hope I will have some details about this issue
1) I think I find an issue :
On my lab, I have an existing Veeam Enterprise manager latest version (migrate from previous version) and I use vcenter 8 GA (no U2).
When I try to setup the vsphere plugin, I select the custom role I create on vcenter + portal administrator and then I try to install it.
EM say me it's installed but on vcenter I can see an error : certificate doesn't support digital signature key usage.
I tried to perform the exact same task but this time with a new Enterprise manager and it works perfectly.
=> The issue is related to my EM server and not configuration or vcenter.
I decide to compare both certificate and they are not the same.
So, I decide to follow the step on this documentation to renew the certificate on my working EM server : https://helpcenter.veeam.com/docs/backu ... ml?ver=120
To generate a self signed certificate from IIS and now, installation doesn't work anymore.
Conclusion :
On new installation, EM create a self signed certificate with different option than you have when you create it from the IIS manager.
If you can reproduce my issue that means the documentation is wrong about it. It's not possible to use IIS with generate self signed certificate for vsphere plugin to work.
PS : Difference I notice on the certificate :
Not working : usage = remote computer authentication + all issuance policies
Working : usage = all application policies + all issuance policies
2) If I understand how I have to manage permission on the new EM architecture :
I need to add on EM all vsphere roles assigned to the users I want to be able to use the plugin ?
Hope I will have some details about this issue
-
- Veeam Software
- Posts: 839
- Liked: 149 times
- Joined: Feb 16, 2012 7:35 am
- Full Name: Rasmus Haslund
- Location: Denmark
- Contact:
Re: Enterprise manager and vsphere plugin
Sounds like an unexpected situation, upgrades of Enterprise Manager is of course supported and if everything works when you use a clean install it is worth taking a closer look. If you didn't already, please open a support case with all the relevant log files. If you already opened it, feel free to post the case ID here.
Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Enterprise manager and vsphere plugin
I just opened it now :
Case #07016134
Case #07016134
-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Enterprise manager and vsphere plugin
No answer unfortunately because free support maybe...
-
- Service Provider
- Posts: 84
- Liked: 20 times
- Joined: Sep 24, 2020 2:14 pm
- Contact:
Re: Enterprise manager and vsphere plugin
1. I have at least also one case of "certificate doesn't support digital signature key usage" at a customer
2. Im also unable to replace the SSL Cert of EM with a self signed from our internal CA (but here i think it have something to do with the WebServer Template with use)
3. I think that VBR 12 cant remove 11 or older Veeam Plugins from the vCenter. I have to remove them through vCenter Plugin Center or MOB
Veeam support was unable to help with a different Case as well (we see Cert Errors related to Keylenght or Encryption in vSphere Client after EM "successfully" installed the plugin.
2. Im also unable to replace the SSL Cert of EM with a self signed from our internal CA (but here i think it have something to do with the WebServer Template with use)
3. I think that VBR 12 cant remove 11 or older Veeam Plugins from the vCenter. I have to remove them through vCenter Plugin Center or MOB
Veeam support was unable to help with a different Case as well (we see Cert Errors related to Keylenght or Encryption in vSphere Client after EM "successfully" installed the plugin.
-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Enterprise manager and vsphere plugin
Hello,
Not sure to understand but I never received any mail from the support and today the support engeneer close the ticket and I could not anymore seen it in my account ?
Someone from Veeam could maybe give me more information please ?
I only have NFR licenses because I'm service provider.
Thanks
Not sure to understand but I never received any mail from the support and today the support engeneer close the ticket and I could not anymore seen it in my account ?
Someone from Veeam could maybe give me more information please ?
I only have NFR licenses because I'm service provider.
Thanks
-
- Veeam Software
- Posts: 110
- Liked: 29 times
- Joined: Jul 28, 2022 12:57 pm
- Contact:
Re: Enterprise manager and vsphere plugin
Hello,I get the same error after upgrading to vsphere 8 with a vbr v12.1. I had no error in vsphere 7.
Certificate doesn't support 'digitalSignature' KeyUsage
I will open a support case.
Certificate doesn't support 'digitalSignature' KeyUsage
I will open a support case.
-
- Veeam Software
- Posts: 110
- Liked: 29 times
- Joined: Jul 28, 2022 12:57 pm
- Contact:
Re: Enterprise manager and vsphere plugin
Case number: 07074689. I can't edit my previoust post so sorry for the double post.
-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Enterprise manager and vsphere plugin
The r and d validates there is an error in documentation because self signed certificate with iis generates this error.
You need to create à custom Query to have à valid certificate with key usage digitalsignature
You need to create à custom Query to have à valid certificate with key usage digitalsignature
-
- Veeam Software
- Posts: 110
- Liked: 29 times
- Joined: Jul 28, 2022 12:57 pm
- Contact:
Re: Enterprise manager and vsphere plugin
Hello Matteu, could you say more about the custom query?
-
- Service Provider
- Posts: 84
- Liked: 20 times
- Joined: Sep 24, 2020 2:14 pm
- Contact:
Re: Enterprise manager and vsphere plugin
I hit it again "Certificate doesn't support 'digitalSignature' KeyUsage" again and we open a ticket. We reffer to this thread. With "custom Query" i think it meaned creating a CSR with the right Options?
Regards,
Joerg
Regards,
Joerg
-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Enterprise manager and vsphere plugin
Exactly, it's about create a query with good options
My support number : 07016134 (open on the end of november month...)
You can get an installer for Windows from here : https://slproweb.com/products/Win32OpenSSL.html
The steps here cover creating the certificate after installing openSSL : https://improveandrepeat.com/2019/03/cr ... n-windows/
My support number : 07016134 (open on the end of november month...)
You can get an installer for Windows from here : https://slproweb.com/products/Win32OpenSSL.html
The steps here cover creating the certificate after installing openSSL : https://improveandrepeat.com/2019/03/cr ... n-windows/
-
- Veeam Software
- Posts: 110
- Liked: 29 times
- Joined: Jul 28, 2022 12:57 pm
- Contact:
Re: Enterprise manager and vsphere plugin
Hello,
Just a quick update, we solved this issue by upgrading OS, update the self signed certificate on the server and on Vem WEBui.
Just a quick update, we solved this issue by upgrading OS, update the self signed certificate on the server and on Vem WEBui.
-
- Veeam Legend
- Posts: 725
- Liked: 118 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Enterprise manager and vsphere plugin
Yes.
For me the support said they didn reproduce the issue...
It s strange because I can reproduction it infinitely but I give up with this support ticket. It was not about I m having an issue but just to say there is an error in the documentation
For me the support said they didn reproduce the issue...
It s strange because I can reproduction it infinitely but I give up with this support ticket. It was not about I m having an issue but just to say there is an error in the documentation
-
- Service Provider
- Posts: 84
- Liked: 20 times
- Joined: Sep 24, 2020 2:14 pm
- Contact:
Re: Enterprise manager and vsphere plugin
The support suggest to create a new cert with the help of OpenSSL* and link to a howto elsewere. We solve the problem by using the certreq tool which part of Windows OS and create a CSR which we signed them by the interal CA. Because we are already there we added SAN information about FQDN,Shortname and IP.
If the cert contains a priv. Key it was accepted by the IIS Manager ->Site-> Veeam* -> Bindings and after a restart of the services the plugin works immediately.
So its a veeam issue and my fellings tell me that customers may effected with long running veeam installation. On the otherside those customers will have up to a dozen "veeam" certs in their cert store so at a time stuff seems to be updated.
* I am familar with Openssl but customer refuse to install additional software on his server. If needed i can post the request.inf like text file you need for the certreq tool.
If the cert contains a priv. Key it was accepted by the IIS Manager ->Site-> Veeam* -> Bindings and after a restart of the services the plugin works immediately.
So its a veeam issue and my fellings tell me that customers may effected with long running veeam installation. On the otherside those customers will have up to a dozen "veeam" certs in their cert store so at a time stuff seems to be updated.
* I am familar with Openssl but customer refuse to install additional software on his server. If needed i can post the request.inf like text file you need for the certreq tool.
Who is online
Users browsing this forum: No registered users and 46 guests