Error "Failed to establish connection to Amazon S3 endpoint" when adding an Amazon S3 object storage repository

KB ID:
3215
Product:
Veeam Backup & Replication
Version:
Published:
Last Modified:
2020-06-30

Challenge

Adding an Amazon S3 object storage repository may fail with the following error: "Failed to load Amazon S3 Compatible configuration: Failed to establish connection to Amazon S3 Compatible endpoint. See logs for details."

By default, in the log %programdata%\Veeam\Backup\Satellites\BackupServer\User\Agent.PublicCloud.Satellite.log the following entries are present:

[15.06.2020 11:00:00]   < 5836> net| Retrieving certificate for s3.amazonaws.com:443 ok.
[15.06.2020 11:00:00]   < 5836> cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[15.06.2020 11:00:00]   < 5836> cli| Result
[15.06.2020 11:00:00]   < 5836> cli| (EString) Certificate = -----BEGIN CERTIFICATE-----
....
[15.06.2020 11:00:00]   < 5836> cli| -----END CERTIFICATE-----
[15.06.2020 11:00:00]   < 5836> cli|
[15.06.2020 11:00:00]   < 5836> cli| (EBoolean) IsTrusted = true
[15.06.2020 11:00:00]   < 5836> cli| AmazonRest.S3.TestConnection
[15.06.2020 11:00:00]   < 5836> cli| (EGuid) ClientId = {abcf50ec-e8a7-4cd7-a186-22fa9447c676}
[15.06.2020 11:00:00]   < 5836> cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[15.06.2020 11:00:00]   < 5836> aws| Creating HTTP client. API URI: [https://s3.amazonaws.com]
[15.06.2020 11:00:00]   < 18772> aws| WARN|HTTP request failed, retry in [1] seconds, attempt number [1], total retry timeout left: [5] seconds
[15.06.2020 11:00:00]   < 18772> aws| >> |WinHttpSendRequest: 12175: A security error occurred

Cause

One of the most likely reasons is that Amazon certificate revocation status cannot be verified.

To verify the certification revocation status, Veeam server or Veeam gateway server must have an access to internet, and the following certificate revocation lists (CRL) must be accessible:

  • If Veeam backup server or dedicated gateway server has access to the Internet and above-mentioned CRL files can be successfully downloaded, open a ticket with technical support to investigate the problem further.
  • If Veeam backup server or dedicated gateway server doesn't have access to the Internet (the access was restricted intentionally), see the Solution section.

Solution

To disable Amazon S3 certificate revocation verification, set registry tweak on configured Amazon S3 gateway server ("Use the following gateway server" option in the object storage properties):

  1. Download the hotfix file:
    • For v10 P1: kb3215_HF1.zip from attachments
    • For v10 P2: kb3215_HF2.zip from attachments
  2. Backup or rename original VeeamAgent.exe under the paths (default installation path):
    • C:\Program Files (x86)\Veeam\Backup Transport\x64
    • C:\Program Files (x86)\Veeam\Backup Transport\x32
  3. Replace C:\Program Files (x86)\Veeam\Backup Transport\x64\VeeamAgent.exe and C:\Program Files (x86)\Veeam\Backup Transport\x86\VeeamAgent.exe with relevant files (names and paths are matching) from downloaded hotfix package.
  4. Create registry record:
    Path: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication' in Veeam Backup and Replication server registry
    Value type: DWORD
    Value name: S3TLSRevocationCheck
    Value: 0
  5. Restart the Veeam server.

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX FOR 10 PATCH 1|https://www.veeam.com/download_add_packs/vmware-esx-backup/kb3215]] MD5: af88fbdbb98fbed29bfd07c1b5f64c68
SHA-1: 5cd01325d3c87a3c833ed6e926364d86f6e96ffe

[[DOWNLOAD|DOWNLOAD HOTFIX FOR 10 PATCH 2|https://www.veeam.com/download_add_packs/vmware-esx-backup/kb3215_1]]
MD5: 17a4fc6d140ae21f0fbf7129c26864ac
SHA-1: 216e1bb90281bddbc36064718ecf334403de4015

 

Please be aware that we’re making changes which will restrict access to product updates for users without an active contract.

OK

Rate the quality of this KB article: 
5 out of 5 based on 1 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text:

Submit