#1 Global Leader in Data Protection & Ransomware Recovery

How to use Veeam Backup for Nutanix AHV/Veeam Backup for Red Hat Virtualization Proxy with Internal CA Certificates

KB ID: 4433
Product: Veeam Backup for Nutanix AHV | 3.0 | 4.0 | 5.0 | 5.1
Veeam Backup for Red Hat Virtualization | 2.0 | 3.0 | 4.0
Published: 2023-03-27
Last Modified: 2023-06-02
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Purpose

This article documents how to configure the following components to handle certificates signed by an Internal CA properly:

 

Cause

By default, these components are only aware of publicly available Certification Authorities.

If an Internal CA is used to sign the Cluster or Veeam Backup & Replication certificate, these components cannot verify the certificate, and communication will fail.

Solution

  1. Export all certificates in the chain as Base64-encoded ASCII.
    Make sure that exported certificates have a .crt extension. If they were exported as .cer - rename them to .crt
  2. Enable SSH on the Appliance/Proxy:
  3. Upload all exported certificates to the Proxy/Appliance using WinSCP or another SCP/SFTP client, and then copy them to:
    Only the root user has write access to this folder. You must first upload the certificates to your user's home directly, then copy them to the folder using the command line.
/usr/local/share/ca-certificates
  1. Connect to the Appliance/Proxy via SSH, and execute the following command:
sudo update-ca-certificates

Example Output:

admin@proxy:/usr/local/share/ca-certificates$ sudo update-ca-certificates
[sudo] password for admin:
Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

 

  1. Reboot the component (Appliance or Proxy).
  2. If the component has been added to Veeam Backup & Replication, rescan it: If it has not been added to Veeam Backup & Replication, add it:
  3. Disable SSH on the Proxy/Appliance, which was enabled in Step 2.
Custom Internal CA Setting Persistence

The configuration of custom Certificate Authorities (CA) is an OS-level change and is not captured by the Configuration Backup function of Veeam Backup for Nutanix AHV nor Veeam Backup for Red Hat Virtualization

If the proxy/appliance is redeployed, whether manually or after upgrading to a new version, the procedure documented in this KB must be performed again.

Restoring the configuration to an existing proxy/appliance that has custom Internal CAs configured will not require reinitialization of the custom Internal CAs. However, if configuration restore is performed to a new proxy/appliance, the custom Internal CA installation procedure documented in this article must be completed.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.