Error "Failed to establish connection to Amazon S3 endpoint" or "Azure Cloud connection has returned an untrusted certificate."

KB ID: 3215
Product: Veeam Backup & Replication
Version: 10.0.1.4854 or newer
Published: 2020-06-30
Last Modified: 2022-07-12
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

When attempting to add an Object Storage Repository or use an existing Object Storage Repository the following errors occur:

  • Connection to Amazon S3 object storage fails with the following error:
    Failed to load Amazon S3 Compatible configuration: Failed to establish connection to Amazon S3 Compatible endpoint. See logs for details.
    
S3 Log Example
By default, in the log %programdata%\Veeam\Backup\Satellites\BackupServer\User\Agent.PublicCloud.Satellite.log the following entries are present:
net| Retrieving certificate for s3.amazonaws.com:443 ok.
cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
cli| Result
cli| (EString) Certificate = -----BEGIN CERTIFICATE-----
....
cli| -----END CERTIFICATE-----
cli|
cli| (EBoolean) IsTrusted = true
cli| AmazonRest.S3.TestConnection
cli| (EGuid) ClientId = {abcf50ec-e8a7-4cd7-a186-22fa9447c676}
cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
aws| Creating HTTP client. API URI: [https://s3.amazonaws.com]
aws| WARN|HTTP request failed, retry in [1] seconds, attempt number [1], total retry timeout left: [5] seconds
aws| >> |WinHttpSendRequest: 12175: A security error occurred
  • Connection to Azure storage fails with the following error:
    Azure Cloud connection has returned an untrusted certificate.
    
Azure Log Example
Info     [PublicCloudCertificateLoader] Retrieved untrusted certificate from DefaultEndpointsProtocol=https;AccountName=<account>
Info     [PublicCloudCertificateLoader] Certificate is not the part of the local chain. Validating.
Warning   [CertificateError] Validation complete with warnings:
Warning   Remote certificate chain errors:
Warning   RevocationStatusUnknown (The revocation function was unable to check revocation for the certificate.)
Info     [PublicCloudCertificateLoader] Validation result: certificate is untrusted
Error    Failed to connect to Azure External configuration (region = 'AzureCloud', CredsId = <guid>)
Error    Azure Cloud connection has returned an untrusted certificate. (System.Exception)

Cause

This issue often occurs when the Veeam server or Veeam gateway server has insufficient internet access to verify that the certificate has not been revoked in the CA's CRL (Certificate Revocation List).

 

Solution

User Guide: Certificate Validation and Revocation Information

 

To verify the certificate revocation status, the Veeam server or Veeam gateway server must:

  1. have access to the internet
  2. be able to access the following certificate revocation lists (CRL):
    Addtional CRL files may be refrenced by the SSL certifcate itself, check the certificate details for more information.

 

If the Veeam software continues to display errors, and you have verified access to the Certificate Revocation Lists (CRL) on the Veeam Backup Server or dedicated Gateway Server, open a case with Veeam Support.

Testing CRL Retrieval (Windows)

The following steps will document how to use the native certutil tool to test for access to the CRL files.
 

In a Command Prompt or Windows PowerShell window, perform the following steps for each CRL to test the ability to retrieve them.

  1. Enter the following command, replacing <crl_URL> with the CRL file's URL.
certutil -url <crl_URL>
  1. Within the URL Retrieval Tool that opens, click Retrieve
CRL Retrieve
  1. Note the status that is reported
CRL Retrieve OK
The CRL was Retrieved Successfully
CRL Retrieve Failed
The CRL Retrieval Failed

Testing CRL Retrieval (Linux)

The following documents how to use wget to test for access to the CRL files.

Execute the following command for each CRL to test the ability to retrieve them.
replacing <crl_URL> with the CRL file's URL.

wget <crl_URL>

Example of successful connection:

backupsvc@gateway:~$ wget http://crl3.digicert.com/Omniroot2025.crl
--2022-07-11 20:42:32--  http://crl3.digicert.com/Omniroot2025.crl
Resolving crl3.digicert.com (crl3.digicert.com)... 72.21.91.29
Connecting to crl3.digicert.com (crl3.digicert.com)|72.21.91.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7967 (7.8K) [application/pkix-crl]
Saving to: ‘Omniroot2025.crl.4’
Omniroot2025.crl.4  100%[===================>]   7.78K  --.-KB/s    in 0s
2022-07-11 20:42:32 (1.22 GB/s) - ‘Omniroot2025.crl.4’ saved [7967/7967]

Example of failed connection:

backupsvc@gateway:~$ wget http://crl3.digicert.com/Omniroot2025.crl
--2022-07-11 20:41:58--  http://crl3.digicert.com/Omniroot2025.crl
Resolving crl3.digicert.com (crl3.digicert.com)... 72.21.91.29
Connecting to crl3.digicert.com (crl3.digicert.com)|72.21.91.29|:80... failed: Connection refused.
Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.