Discussions specific to the VMware vSphere hypervisor
Craigb
Influencer
Posts: 13
Liked: 26 times
Joined: Nov 14, 2012 2:28 am
Full Name: Craig Braithwaite
Contact:

After vSphere 6.0 upgrade - remote certificate is invalid

Post by Craigb » 22 people like this post

After upgrading the vsphere vCenter server from 5.5.2 to 6.0.0 (which did automatically upgrade the SSL certificates) backups and restores from veeam b&r 8.0.0.2 fail when tested.

The backup details show:
- Task failed Error: The remote certificate is invalid according to the validation procedure.

A restore attempt shows the following when attempting to expand the VC node:
- Failed to login to "myVC" by SOAP, port 443, user "myVC\admin_account", proxy srv: port:0
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.

<side_issue> tried upgrading the vsphere client (exe) on the b&r host to trick SSL, that didn't help </side_issue>

Ok.. so..
* In VeeamB&R -> "Backup Infrastructure", drill down the offered tree +Managed servers + VMware vSphere + vCenter Servers + myVC.
* right click on myVC and select menu item "properties"
.. 'Name' page .. leave alone
(b)"Next"
.. 'Credentials' page..
(b)"Next"
now this looks good.. "an untrusted certificate is installed on "myVC" and secure communication cannot be guaranteed. Connect to this server anyway?
(b)"Connect"
bit of connecting and saving server configuration going on.. then done
..'Summary' page.
shows a summary that includes "Host info: VMware VCenter Server 5.5.0 build-2183111" which I think is odd since the whole issue stems from the upgrade to 6.0.0 and the build shown there is 2656760.
(b)"Finish"

ps: "myVC" is my vCenter server, mine isn't actually called that and I doubt yours is either.

Test a restore of an 'incidental' machine.. I can now browse past the VC node of the Hosts and Clusters tree which was my initial stopping point so I'll cancel the restore wizard and test a backup.

Backup and Replication -> jobs -> Backup -> cbdev.. [RMB] start ...success !!

It's been a bit of a day, I hope this info helps someone.

foggy
Veeam Software
Posts: 19676
Liked: 1810 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by foggy »

Craig, thanks for sharing this with the community! Much appreciated.

trl-london
Lurker
Posts: 1
Liked: never
Joined: Jan 04, 2012 11:02 am
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by trl-london »

Thanks for taking the time to share that.

You have just saved several hours of my Friday night working through the problem.

Much appreciated.

gurneetech
Influencer
Posts: 10
Liked: 5 times
Joined: Jun 23, 2014 1:51 pm
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by gurneetech »

Thank you, this helped me as well. Steps where identical to what I saw, including the vCenter version cosmetically listing at v5.5.

etb
Novice
Posts: 3
Liked: 1 time
Joined: Jun 26, 2015 2:57 pm
Full Name: Eric Bostrom
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by etb »

Thx bud, this fixed it.

ryanworrell
Lurker
Posts: 2
Liked: 1 time
Joined: Dec 04, 2014 6:02 pm
Full Name: Ryan Worrell
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by ryanworrell »

Thanks for sharing!

DaveBristolIT
Influencer
Posts: 14
Liked: 1 time
Joined: Mar 17, 2014 11:06 am
Full Name: Dave Hamer
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by DaveBristolIT »

Confirmed: Also works with Standalone ESXi hosts

chjones
Expert
Posts: 108
Liked: 29 times
Joined: Oct 30, 2012 7:53 pm
Full Name: Chris Jones
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by chjones »

I had the same issue after replacing all certificates with ones signed by our internal Microsoft Enterprise Root CA, a rescan of vCenter would fail along with backups and restores due to certificate errors. I did the same thing, just edit the vCenter Server within the B&R Console and click Next thru the entire wizard, then click Finish. It's almost too easy. Then I did a rescan of vCenter and it was all good.

It should be a good habit of all B&R admins that whenever you change anything at all with vCenter, storage infrastructure or proxies you should always rescan that infrastructure within the B&R console. I do this religiously and it solves problems before they become real issues.

tinto1970
Enthusiast
Posts: 81
Liked: 28 times
Joined: Sep 26, 2013 8:40 am
Full Name: Alessandro Tinivelli
Location: Bologna, Italy
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by tinto1970 » 1 person likes this post

Craigb wrote: * In VeeamB&R -> "Backup Infrastructure", drill down the offered tree +Managed servers + VMware vSphere + vCenter Servers + myVC.
* right click on myVC and select menu item "properties"
.. 'Name' page .. leave alone
(b)"Next"
.. 'Credentials' page..
(b)"Next"
now this looks good.. "an untrusted certificate is installed on "myVC" and secure communication cannot be guaranteed. Connect to this server anyway?
(b)"Connect"
bit of connecting and saving server configuration going on.. then done
..'Summary' page.
shows a summary that includes "Host info: VMware VCenter Server 5.5.0 build-2183111" which I think is odd since the whole issue stems from the upgrade to 6.0.0 and the build shown there is 2656760.
(b)"Finish"
hi, this was useful even after a certificate regeneration performed on a VCSA.
Alessandro Tinivelli aka Tinto
@tinto1970

AnnaR
Lurker
Posts: 1
Liked: never
Joined: Nov 10, 2010 7:36 pm
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by AnnaR »

Thanks for the info! Fixed my issue. :) :D

rschuiling
Lurker
Posts: 2
Liked: 5 times
Joined: Nov 07, 2014 1:18 am
Full Name: Raymond Schuiling

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by rschuiling » 1 person likes this post

Yep, same here after I changed the certifcate of the VCSA for Citrix integration .......
Followed your steps and it was solved. Thanks !!
Will also religiously rescan Veeam infrastructure :mrgreen:

cminias
Lurker
Posts: 2
Liked: 1 time
Joined: Nov 15, 2013 12:43 pm
Full Name: Christos Minias
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by cminias » 1 person likes this post

Craig you are awesome. Not only you figured out an obscure error, but you took the time to post it (and save my day).
Thank you!
:D

Terrh
Lurker
Posts: 1
Liked: never
Joined: Sep 14, 2015 4:04 am
Full Name: James C King
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by Terrh »

Saved me a whole bunch of pain too - Let me add my thanks too!

gtaylor85
Lurker
Posts: 1
Liked: never
Joined: Feb 01, 2016 3:59 pm
Full Name: Garrett
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by gtaylor85 »

This helped me today. Thank you for sharing.

straycur
Novice
Posts: 4
Liked: 5 times
Joined: Aug 12, 2013 11:27 pm
Full Name: Susan Strayer Curtis
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by straycur »

Thx for the helpful post. Certs broke in Veeam after our cert manager updated them.

To fix them all I had to do was drill into Backup Infrastructure -> VMware server, touch Credentials (without changing them) and Finish the configuration
VMs started backing up successfully again for both running jobs, and failed jobs that I retried just 45 minutes after I first saw the failures.

Quick easy solution to something that could have been long and painful.

mckaj
Novice
Posts: 8
Liked: never
Joined: Feb 24, 2016 9:30 pm
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by mckaj »

+1 on the community kudos meter for this one.

I managed to trigger this one by doing a clone migration of a vcenter appliance from one host to another in a small Essentials environment.

Have also added "rescan everything" after touching anything to my best practices bundle.

Thanks Craig, and others for comments.

Cheers
Andrew

techgal64
Novice
Posts: 3
Liked: never
Joined: Mar 10, 2016 12:16 pm
Full Name: Julie Reynolds
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by techgal64 »

Thanks for this information! My backups had been working fine but I made changes to my vCenter appliance; changed the location of core and log files to a NFS share.

Followed your instructions and I am back in business.

mdornfeld
Expert
Posts: 125
Liked: 2 times
Joined: Mar 23, 2009 4:44 pm
Full Name: Matt
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by mdornfeld »

Thank you! Helped us out today.

nreutemann
Enthusiast
Posts: 47
Liked: 6 times
Joined: Mar 06, 2012 11:45 pm
Full Name: Nicolas Reutemann
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by nreutemann »

Works too after upgrading from vCenter 5.1 to 5.5

Thanks!

lmayorgas
Lurker
Posts: 1
Liked: never
Joined: Mar 06, 2012 8:43 am
Full Name: Luis F. Mayorgas
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by lmayorgas »

It worked fine for me too. Thanks a lot!

IonutN
Novice
Posts: 4
Liked: 1 time
Joined: Sep 25, 2014 8:57 am
Full Name: Ionut Nica
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by IonutN » 1 person likes this post

HI,

is there any programmatic way to do this?
we have 30 BRS servers, and 30 vcenters, and we have a partial mesh topology.
so doing this a few hundred times a year looks rather daunting and pointless.

Also I'm not sure I understand why this is happening.
we have PKI issued certificates and the windows servers where B&R runs trust the certificate issued to vcenter.
is there any to add the root CAs to Veeam certificate store or something?

BackerML
Lurker
Posts: 1
Liked: never
Joined: Apr 05, 2016 1:15 pm
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by BackerML »

Thank you so much for posting this. Saved me so much frustration! I saw all my backups fail and thought to myself "Today is gonna suck..." Thanks again!

slash24
Lurker
Posts: 1
Liked: never
Joined: Jun 08, 2017 6:36 pm
Full Name: Chris Supnet

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by slash24 »

Thank you for this... saved me a ton of time! :D

lukasos
Novice
Posts: 5
Liked: 1 time
Joined: Oct 23, 2017 10:50 am
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by lukasos »

Nice one, thanks
Had a problem after upgrading ESXI to 6.5 and this fixed it.

ARHT
Lurker
Posts: 2
Liked: never
Joined: Jan 10, 2017 5:18 am
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by ARHT »

Excellent - your brain worked hard so mine didn't have to. Cheers for that!
In this instance I created my own problem after upgrading V B&R to 9.5 u3a and [the next day] VCentre to 6.7 [from 6.5]. I haven't updated the hosts yet. Fiddling with Vcentre and Update Manager I came across cert issues which I thought I'd 'refresh' to see if that fixed the alerts I was seeing. Broke Veeam... If you have this issue pay attention to which certs have caused the issue: if on VCentre then run through credential re-save as OP instructed via 'BackUp Infrastructure', if on host/s then same process but through 'Inventory' on each affected host.

souperstar
Enthusiast
Posts: 38
Liked: 4 times
Joined: Dec 30, 2011 10:26 pm
Full Name: Chris

Re: After vSphere 6.0 upgrade - remote certificate is invali

Post by souperstar »

We had this issue on the latest version of VB&R (9.5.0.1922) - but only after migrating vCenter to its latest version (6.5 > 6.7.0 build 9433894). Thank you for the post!

cividan
Influencer
Posts: 19
Liked: never
Joined: Feb 06, 2015 4:17 pm

Re: After vSphere 6.0 upgrade - remote certificate is invalid

Post by cividan »

Ran into the same problem after replacing the certificate when upgradading from 6.0 to 6.7 and your solution fixed the problem.
Thanks alot!

vijayG
Enthusiast
Posts: 38
Liked: 2 times
Joined: Nov 12, 2018 7:07 pm
Full Name: Vijay Kumar Gouni
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invalid

Post by vijayG »

It works for me.

Thanks for sharing

gparker
Enthusiast
Posts: 54
Liked: 6 times
Joined: Feb 01, 2012 2:24 am
Full Name: George Parker
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invalid

Post by gparker »

Thanks, this worked for me too :)

Berkovska
Service Provider
Posts: 44
Liked: 3 times
Joined: May 30, 2018 10:39 am
Full Name: Berkovska
Contact:

Re: After vSphere 6.0 upgrade - remote certificate is invalid

Post by Berkovska »

This should be a KB - worked flawlessly.
Thank you!

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 21 guests