[v13] import Certificate Signed by Internal CA

[pirx]

I've created and imported certificates before, but doing this for v13 appliance is giving me a hard time.

I found this https://helpcenter.veeam.com/docs/vbr/u ... +ca&ver=13

I first tried "Importing Certificate from Certificate Store" but it does not even show the certificate that I imported on the Windows system where I started console.

Next I tried "Using Certificate Signed by Internal CA" but there is not much reference to the appliance. So I transferred my cert files to the appliance, put them in /var/lib/veeam/... and tried to import from there with the enc password. But then get error "error:0308010C:digital envelope routines::unsupported." It's probably in wrong format... but I do not have much options as the cert get centrally created.

Any ideas what I have to do different?

[Mildur]

Hi Pirx,

In v13.0.1, we’ll introduce a wizard to simplify certificate import. But the process in v13.0 is a bit more complex.
I recommend waiting for v13.0.1; but if you need it sooner, please let me know and I’ll share the manual process with you in a private message.

Best,
Fabian

[pirx]

Hi Fabian, any ETA for 13.0.1? If it is not too much work I'd appreciate getting the manual steps in a PM

[Mildur]

Hi Pirx,

I’ll need to double-check the manual procedure to confirm whether it resolves your request. I’ll share it with you once I have the answer.
We’re not far from the release day — you can register for the global launch event on November 19th.

Best,
Fabian

[Mildur]

Hi Pirx,

I tested it in my lab by importing a PFX:
- I’ll share the procedure to "import/trust the root CA certificate" via private message.
- For the backup server certificate, please try to export it using AES256-SHA256 encryption.

It seems that the current build of the appliance doesn’t work with TripleDES-SHA1 encryption. I got the same error as you.
But import with a PFX and AES256-SHA256 encryption worked for me in my lab.



Best,
Fabian

[Gostev]

The error is because TripleDES and SHA1 are not FIPS complaint (deprecated in 2019 and disallowed use after 2023 by NIST). Veeam Software Appliance is strict about that.

[spiritie]

Hi Pirx,

In v13.0.1, we’ll introduce a wizard to simplify certificate import. But the process in v13.0 is a bit more complex.
I recommend waiting for v13.0.1; but if you need it sooner, please let me know and I’ll share the manual process with you in a private message.

Best,
Fabian

Hi Fabian

Did this make it into 13.0.1? I've just updated my v13 LAB which runs with appliance and I'm not able to find anything. I haven't had luck with adding my root CA certs into this folder: /etc/pki/ca-trust/source/anchors/

I just keep getting this error:

Code: Select all

Provided certificate (<thumbprint>) is not trusted by VBR server. Make sure that the certificate chain was issued by a trusted authority.

Followed from this guide: https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13 + reboot the entire appliance.

[Mildur]

Certificate management — such as handling trusted root CAs — is still on our roadmap and may arrive with some luck in v13.1.
For now you have to use SSH. I’ll share the manual process for doing this via SSH in a direct message.
Let me know if it works.

Best,
Fabian

[spiritie]

Thanks, I got it working, I replied to your message with some added recommendations.

Is there a reason why the "Host Management" site on port 10443 is not affected by this cert change, it's still using the default self-signed cert?

Bug or on your to-do?

[Mildur]

Host Management is a different application/service as Veeam Backup & Replication. To my best knowledge it uses its own certificate.
I‘ll double check with the team if the certificate can be replaced today.

Best,
Fabian

[Mildur]

It is currently not possible to update the certificate for Host Management Web UI.
But it will be possible in the planned Certificates Manager.

Best,
Fabian

[spiritie]

@Veeam or @Mildur

Do you have documentation on the process of reverting an broken cert. We've been playing a bit and we tried adding in an cert that mimics the properties of the "Subordinate Certification Authority template", but we are using HashiCorp Vault.

We managed to completely break VBR, we cannot access it through the web interface or the Veeam Console. When trying to access it through the website we get "ERR_SSL_KEY_USAGE_INCOMPATIBLE" and the Veeam console just loads forever without anything happening.

My questions and feedback regarding the VBR appliance:

• VBR should be more strict when applying certificates, and if the process fails it should revert itself if the certificate is not sufficient (When ever tried rebooting it, no luck)

• Does the VBR appliance currently support the "Subordinate Certification Authority" certificates? I suspect the VBR simply tried to add the Sub Cert as it's own cert, but it should be issuing an cert to itself through that sub cert (Just like VMware vCenter does to give an example) or else the cert we created in the HashiCorp Vault is simply invalid (Haven't tested our Windows CA yet)

• The Certificate Manager you mentioned, will this also have the ability to create the CSR + Private key so that we can direct grab the CSR and upload it to our choice of CA to issue the cert to our VBR servers?

• How to revert the certificate on the VBR appliance now that it's broken?

[Mildur]

Hi Gert,

Please reach out to our support team, as I don’t have documentation describing how to resolve technical issues with certificates.
If support cannot provide a solution, the cleanest approach may be "Reinstalling Veeam Software Appliance from ISO".

Regarding your questions:
1.) Let’s wait for support to confirm whether the process was detected as failed or not.
2.) I’ll double-check with the team next week.
3.) I’m not sure yet, but I’ll forward your feedback to the R&D team responsible for this feature.
4.) Please check with support or use the reinstall option.

Best,
Fabian

[spiritie]

Hi Mildur

I wasn't interested in contacting support for this matter since it's only a VSA test in our LAB. I gained shell access and quickly found the path to the NGINX cert, I simply copied the cert + key from the MGMT site (port 10443) and restarted the NGINX service.

Too anyone else finding this post in the future. If you have Linux knowledge you will quickly be able to find your away round the filesystem in the VSA and solve the issue yourself.

This was also the way I achieved getting my own certificate on the MGMT site (port 10443). I used the Veeam GUI to apply my working cert and then in the shell I copied the .crt + .key and replace the default certs related to the MGMT site and restarted NGINX again.

Have fun