How to use Veeam Backup for Nutanix AHV/Veeam Backup for Red Hat Virtualization Proxy with Internal CA Certificates
Purpose
This article documents how to configure the following components to handle certificates signed by an Internal CA properly:
Cause
By default, these components are only aware of publicly available Certification Authorities.
If an Internal CA is used to sign the Cluster or Veeam Backup & Replication certificate, these components cannot verify the certificate, and communication will fail.
Solution
- Export all certificates in the chain as Base64-encoded ASCII.
Make sure that exported certificates have a .crt extension. If they were exported as .cer - rename them to .crt - Enable SSH on the Appliance/Proxy:
- Enabling SSH on Nutanix AHV Backup Appliance (Veeam Backup for Nutanix AHV 4.x+)
- Enabling SSH on Nutanix AHV Backup Appliance (Veeam Backup for Nutanix AHV 3.x)
- Enabling SSH on RHV Backup Proxy (Veeam Backup for Red Hat Virtualization 3.x+)
- Enabling SSH on RHV Backup Proxy (Veeam Backup for Red Hat Virtualization 2.x)
- Upload all exported certificates to a folder on the Proxy/Appliance using WinSCP or another SCP/SFTP client, and then copy them to:
Only the root user has write access to this folder. You must first upload the certificates to your user's home directly, then use 'sudo cp' to copy them to the folder.
- Connect to the Appliance/Proxy via SSH, and execute the following command:
Example Output:
admin@proxy:/usr/local/share/ca-certificates$ sudo update-ca-certificates [sudo] password for admin: Updating certificates in /etc/ssl/certs... 2 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
- Reboot the component (Appliance or Proxy).
- If the component has been added to Veeam Backup & Replication, rescan it: If it has not been added to Veeam Backup & Replication, add it:
- Disable SSH on the Proxy/Appliance, which was enabled in Step 2.
The configuration of custom Certificate Authorities (CA) is an OS-level change and is not captured by the Configuration Backup function of Veeam Backup for Nutanix AHV nor Veeam Backup for Red Hat Virtualization.
If the proxy/appliance is redeployed, whether manually or after upgrading to a new version, the procedure documented in this KB must be performed again.
Restoring the configuration to an existing proxy/appliance that has custom Internal CAs configured will not require reinitialization of the custom Internal CAs. However, if configuration restore is performed to a new proxy/appliance, the custom Internal CA installation procedure documented in this article must be completed.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.