Veeam softwareVEEAM:KB4433How to use Veeam Backup for Nutanix AHV/Veeam Backup for Red Hat Virtualization Proxy with Internal CA Certificates
AI Score
Confidence
Low
Article Applicability
The need to perform the procedures documented in this article has been eliminated through improvements to how certificates are handled, starting in the following versions:
- Veeam Backup for Nutanix AHV 5
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization 4
Purpose
This article documents how to configure the following components to handle certificates signed by an Internal CA properly:
Cause
By default, these components are only aware of publicly available Certification Authorities.
If an Internal CA is used to sign the Cluster or Veeam Backup & Replication certificate, these components cannot verify the certificate, and communication will fail.
Solution
- Export all certificates in the chain as Base64-encoded ASCII.
Make sure that exported certificates have a .crt extension. If they were exported as .cer - rename them to .crt - Enable SSH on the Appliance/Proxy:
* Enabling SSH on Nutanix AHV Backup Appliance (Veeam Backup for Nutanix AHV 4.x+)
* Enabling SSH on RHV Backup Proxy (Veeam Backup for Red Hat Virtualization 3.x+) - Upload all exported certificates to a folder on the Proxy/Appliance using WinSCP or another SCP/SFTP client, and then copy them to:
Only the root user has write access to this folder. You must first upload the certificates to your userβs home directly, then use βsudo cpβ to copy them to the folder.
sudo cp ~/path/to/uploaded/certs/* /usr/local/share/ca-certificates
Copy
- Connect to the Appliance/Proxy via SSH, and execute the following command:
sudo update-ca-certificates
Copy
Example Output:
admin@proxy:/usr/local/share/ca-certificates$ sudo update-ca-certificates
[sudo]Β password for admin:
Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
- Reboot the component (Appliance or Proxy).
- If the component has been added to Veeam Backup & Replication, rescan it:
* Rescanning Nutanix AHV Backup Appliance
* Rescanning RHV Backup Proxy
If it has not been added to Veeam Backup & Replication, add it:
* Connecting Existing Nutanix AHV Backup Appliance
* Connecting Existing RHV Backup Proxy - Disable SSH on the Proxy/Appliance, which was enabled in Step 2.
Custom Internal CA Setting Persistence
The configuration of custom Certificate Authorities (CA) is an OS-level change and is not captured by the Configuration Backup function of Veeam Backup for Nutanix AHV nor Veeam Backup_ for Red Hat Virtualization_.
If the proxy/appliance is redeployed, whether manually or after upgrading to a new version, the procedure documented in this KB must be performed again.
Restoring the configuration to an existing proxy/appliance that has custom Internal CAs configured will not require reinitialization of the custom Internal CAs. However, if configuration restore is performed to a new proxy/appliance, the custom Internal CA installation procedure documented in this article must be completed.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| veeam | veeam_backup_for_google_cloud | 4.0 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:4.0:*:*:*:*:*:*:* |
| veeam | veeam_backup_for_google_cloud | 3.0 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:3.0:*:*:*:*:*:*:* |
AI Score
Confidence
Low