V13 certificate topics

[ITinSpace]

moderator split from post564570.html#p564570

It's also about the services that are unnecessarily broadcasting untrusted self-signed certificates, which can't be changed or it breaks the PKI chain and breaks VBR's ability to backup computers with an agent. Enterprise level PKI is not going to allow a backup server to become it's own sub-CA to issue certificates, especially not within the US Federal Government agencies. That is not a thing. Please stop forcing it on us. Provide a way to make the program work where the WebUI isn't tied to the same certificate as the one running the backup jobs. I can't have an HTTP server broadcasting a self-signed, untrusted certificate just so I can use the WebUI to manage my backups. This worked fine in VBR12 on Windows, but it's broken in VBR13 on Windows with the console now requiring port 443 to be running just to manage our backups. From a security standpoint, you are going backwards.

[HannesK]

Hello,
I split that post from the other thread because it's different topics. Please use separate topics instead of de-railing existing topics because it makes it hard for new readers to follow.

Agree on your statements. The topic is understood and and we will change that as soon as possible after 13.1.

I agree, that it would be great to fix it faster, but that's the current timeline.

Best regards
Hannes

[m.novelli]

When is planned 13.1?

Marco

[ITinSpace]

Hannes,
I agree that they are slightly separate, but also the same and are very much related. The services that get installed and are running within VBR, which break the program's operability when blocked in the firewall or uninstalled, are creating security vulnerabilities in your customers' infrastructure and have been for quite some time. Veeam seems to be ignoring them. We don't have months to fix security vulnerabilities. We have days.

[HannesK]

Hello,
13.1 is planned for summer this year.

The web server (technically reverse proxy) cannot be removed as it would break the entire product. It's not an optional component at all. If the certificate situation is a problem in your situation (which I can understand), then the only recommendation is to stay on V12 until it's fixed. V12 is still supported till February 2027. I get your point about the certificates situation and for now, I don't have a better recommendation than staying on V12.

Best regards
Hannes

[RubinCompServ]

@ITinSpace didn't say that the web server is an optional component. He said that Veeam's method of certificate usage is unacceptable at an Enterprise level and needs to be fixed.

[HannesK]

yes, I already agreed on that earlier.

[ITinSpace]

@RubinCompServ- I would love your post if the forums would allow it. I hate that I am having to ask for a "feature request" to fix a security vulnerability within the software that didn't exist until v13 and that Veeam support is helpless to do anything because they can only work within the confines of how the software is designed. I admit that I do like some of the things in v13, but I shouldn't have to sacrifice the security of my network to support a fancy new WebUI when the console as it was on v12 worked fine. This is not a feature request. This is a security vulnerability that I am forced to document in this way because Veeam's internal problem escalation processes are broken, as is their ability to know what their enterprise customers need to securely run Veeam software.