Hi micloud-bcourtade,
Yes, looks very similar. I'd have used Veeam's KB article if I knew it existed, my search didn't give me that page for some reason. My code doesn't include the extra KeyUsage information, and I avoided using IIS completely.
This was my solution:
The error was "This site can’t be reached The webpage at https://
FQDN:
1239/api/oauth2/email/signincompletion?code=..."
Note your
FQDN and the
port number.
In an administrative PowerShell run this:
Look for the port is was complaining about (Port 1239) and note down the
Certificate Hash number and the
Application ID number including its squiggly brackets {}.
Run this, replacing
CERTIFICATE_HASH with the
Certificate Hash number you just noted down:
Code: Select all
Get-ChildItem Cert:\LocalMachine\My |
Where-Object {$_.Thumbprint -eq "CERTIFICATE_HASH"} |
Select-Object Subject, FriendlyName, NotAfter,
@{Name="EKU";Expression={$_.EnhancedKeyUsageList}},
@{Name="KeyUsage";Expression={$_.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Key Usage"}}}
If
EKU doesn't say "
Server Authentication (1.3.6.1.5.5.7.3.1)" and
KeyUsage doesn't include "
Digital Signature" or "
Key Encipherment" then that is your problem.
Now create a new self-signed certificate, replacing
FQDN with your
FQDN from above:
Code: Select all
$new = New-SelfSignedCertificate `
-DnsName "FQDN" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage DigitalSignature,KeyEncipherment `
-Type SSLServerAuthentication `
-NotAfter (Get-Date).AddYears(10)
$new.Thumbprint
This will then give you a new thumbprint number.
Put in the new thumbprint number into
NEWTHUMBPRINT, and the
Application ID number into
APPLICATION_ID:
Code: Select all
netsh http delete sslcert ipport=0.0.0.0:1239
netsh http add sslcert ipport=0.0.0.0:1239 `
certhash=NEWTHUMBPRINT `
appid="APPLICATION_ID"
Then restart the VeeamOne services.