Enterprise manager and vsphere plugin

[matteu]

Hello,

1) I think I find an issue :

On my lab, I have an existing Veeam Enterprise manager latest version (migrate from previous version) and I use vcenter 8 GA (no U2).
When I try to setup the vsphere plugin, I select the custom role I create on vcenter + portal administrator and then I try to install it.
EM say me it's installed but on vcenter I can see an error : certificate doesn't support digital signature key usage.

I tried to perform the exact same task but this time with a new Enterprise manager and it works perfectly.

=> The issue is related to my EM server and not configuration or vcenter.

I decide to compare both certificate and they are not the same.

So, I decide to follow the step on this documentation to renew the certificate on my working EM server : https://helpcenter.veeam.com/docs/backu ... ml?ver=120
To generate a self signed certificate from IIS and now, installation doesn't work anymore.

Conclusion :
On new installation, EM create a self signed certificate with different option than you have when you create it from the IIS manager.
If you can reproduce my issue that means the documentation is wrong about it. It's not possible to use IIS with generate self signed certificate for vsphere plugin to work.


PS : Difference I notice on the certificate :
Not working : usage = remote computer authentication + all issuance policies
Working : usage = all application policies + all issuance policies

2) If I understand how I have to manage permission on the new EM architecture :
I need to add on EM all vsphere roles assigned to the users I want to be able to use the plugin ?

Hope I will have some details about this issue

[haslund]

Sounds like an unexpected situation, upgrades of Enterprise Manager is of course supported and if everything works when you use a clean install it is worth taking a closer look. If you didn't already, please open a support case with all the relevant log files. If you already opened it, feel free to post the case ID here.

[matteu]

I just opened it now :
Case #07016134

[matteu]

No answer unfortunately because free support maybe...

[Origin 2000]

1. I have at least also one case of "certificate doesn't support digital signature key usage" at a customer
2. Im also unable to replace the SSL Cert of EM with a self signed from our internal CA (but here i think it have something to do with the WebServer Template with use)
3. I think that VBR 12 cant remove 11 or older Veeam Plugins from the vCenter. I have to remove them through vCenter Plugin Center or MOB

Veeam support was unable to help with a different Case as well (we see Cert Errors related to Keylenght or Encryption in vSphere Client after EM "successfully" installed the plugin.

[matteu]

Hello,
Not sure to understand but I never received any mail from the support and today the support engeneer close the ticket and I could not anymore seen it in my account ?
Someone from Veeam could maybe give me more information please ?

I only have NFR licenses because I'm service provider.

Thanks

[bct44]

Hello,I get the same error after upgrading to vsphere 8 with a vbr v12.1. I had no error in vsphere 7.
Certificate doesn't support 'digitalSignature' KeyUsage

I will open a support case.

[bct44]

Case number: 07074689. I can't edit my previoust post so sorry for the double post.

[matteu]

The r and d validates there is an error in documentation because self signed certificate with iis generates this error.
You need to create à custom Query to have à valid certificate with key usage digitalsignature

[bct44]

Hello Matteu, could you say more about the custom query?

[Origin 2000]

I hit it again "Certificate doesn't support 'digitalSignature' KeyUsage" again and we open a ticket. We reffer to this thread. With "custom Query" i think it meaned creating a CSR with the right Options?

Regards,
Joerg

[matteu]

Exactly, it's about create a query with good options

My support number : 07016134 (open on the end of november month...)

You can get an installer for Windows from here : https://slproweb.com/products/Win32OpenSSL.html

The steps here cover creating the certificate after installing openSSL : https://improveandrepeat.com/2019/03/cr ... n-windows/

[bct44]

Hello,

Just a quick update, we solved this issue by upgrading OS, update the self signed certificate on the server and on Vem WEBui.

[matteu]

Yes.
For me the support said they didn reproduce the issue...
It s strange because I can reproduction it infinitely but I give up with this support ticket. It was not about I m having an issue but just to say there is an error in the documentation

[Origin 2000]

The support suggest to create a new cert with the help of OpenSSL* and link to a howto elsewere. We solve the problem by using the certreq tool which part of Windows OS and create a CSR which we signed them by the interal CA. Because we are already there we added SAN information about FQDN,Shortname and IP.
If the cert contains a priv. Key it was accepted by the IIS Manager ->Site-> Veeam* -> Bindings and after a restart of the services the plugin works immediately.

So its a veeam issue and my fellings tell me that customers may effected with long running veeam installation. On the otherside those customers will have up to a dozen "veeam" certs in their cert store so at a time stuff seems to be updated.

* I am familar with Openssl but customer refuse to install additional software on his server. If needed i can post the request.inf like text file you need for the certreq tool.