Receiving Failed to Retrieve Certificate With Veeam Backup & Replication

Why do I receive "Failed to retrieve certificate" with Veeam Backup & Replication?

When connecting Veeam to Wasabi for the first time, or after there have been network-related changes, you may encounter the error “Failed to retrieve certificate.” This is an indication that your Veeam Backup & Replication server is unable to reach the Wasabi service and validate the certificate. Below is an example error message:

11/2/2020 4:22:01 AM :: Failed to offload backup Error: Failed to retrieve certificate from https://s3.us-east-2.wasabisys.com/
11/2/2020 4:22:01 AM :: Failed to retrieve certificate from https://s3.us-east-2.wasabisys.com/

11/1/2020 5:14:30 PM :: Processing Error: Failed to retrieve certificate from https://s3.us-east-2.wasabisys.com/
11/1/2020 5:15:58 PM :: Failed to offload backup Error: Failed to retrieve certificate from https://s3.us-east-2.wasabisys.com/

To verify connectivity:

• Verify that your Veeam server has internet access to the URLs. For a complete list on these URLs, review Wasabi Service URLs.

• Be sure that outbound access using TCP is allowed on port 443 to URLs being used by your buckets in your firewall. If the firewall uses IP Address/Subnets for an allow list, refer to How do I whitelist Wasabi service URLs in my firewall? to determine the subnet range for your bucket.

• If your network requires the use of a network proxy such as a SOCKS5 proxy, verify that you have configured the correct proxy URL for use with Veeam. If the proxy is blocking Wasabi, you may have to request a proxy bypass from your networking team or have the Wasabi URLs allowed through it.

• If your network uses an SSL Decryption device in order to inspect encrypted traffic, it may be required to bypass this decryption. Otherwise, the connection will fail.

• In certain cases, we have seen incorrectly configured MTU settings generate this error. The typical setting is 1500. If you are using Jumbo Frames, validate that your network supports this and also allows for proper Path MTU Discovery (PMTUD).

Additional Troubleshooting Steps

With respect to the "Failed to retrieve the certificate from https://s3.<bucket-name>.<region>.wasabisys.com" error, troubleshoot using the steps below.

The “bucket-name“ and “region“ would be the user's actual bucket name and its region in the URL.

• Network command to verify the connection. HTTP 403 Forbidden is bound to be received as no security credentials are being passed but wanted users to verify if the CAfile is picked to reach out to Wasabi regions and if an SSL connection is established.

• Verify that the log is related to the certificate errors from the particular Veeam backup job path "C:\ProgramData\Veeam\Backup\Satellites\<VeeamServer>\<console_account>\Satellite_Console.log"

• The keywords to search are "Retrieving certificate for" or "Agent.PublicCloud.Satellite*.log". These log searches will provide the errors of the certificate timestamps, regions, frequency, pattern, and so on.

• Be sure that Veeam v12 is on the Latest patch (12.1.2.172) as these CRL issues are addressed. Veeam 12 latest patch is KB2680: Build Numbers and Versions of Veeam Backup & Replication.

• Users of Veeam can also select, update, or import their TLS certificates by following the steps in Backup Server Certificate.

  Contact Veeam Support for CRL errors.

For more information, review Troubleshooting Certificate and Connection Errors in Cloud Connect.