Veeam update fails with "This Veeam Backup & Replication / Veeam ONE installation cannot be updated automatically"

Update setup program checks the digital signature of the existing files to ensure their integrity before updating them. All product files are signed using Global Sign certificates. Some Windows installations do not contain Global Sign's root certificates authority as trusted root certificates, or have non-current certificates. This issue is typically observed on servers with locked down security settings, or servers with no internet access or latest updates installed.

To resolve this issue, please install the below certificates manually on the system:
https://www.digicert.com/CACerts/DigiCertAssuredIDRootCA.crt (DigiCert Assured ID Root CA)
http://secure.globalsign.com/cacert/gscodesigng3ocsp.crt (GlobalSign CodeSigning CA - G3)
https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt (DigiCert High Assurance EV Root CA)
https://www.digicert.com/CACerts/DigiCertEVCodeSigningCA-SHA2.crt (DigiCert EV Code Signing CA - SHA2)
https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates (install R1, R2, and R3 certificates)

Additional certificates are needed for Veeam ONE 9.5 Update 4:
For SHA1: https://www.thawte.com/roots/Thawte_Timestamping_CA.pem (Thawte Timestamping CA)
For SHA2: https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/roots/VeriSign-Universal-Root-Certification-Authority.pem (VeriSign Universal Root Certification Authority)

If your backup server does not have internet access, please download certificate files from another computer.

 

To install a certificate:
Right-click on the certificate file in Windows, select "Install Certificate", install on "Local Machine", and select the store "Trusted Root Certification Authorities". When installed properly, "GlobalSign" and "GlobalSign Root CA" should show under Console root -> Certificates -> Trusted Root Certification Authorities -> Certificates.