Challenge
The Service Provider wizard on the Tenant Veeam Server fails with errors.
Two examples:
Certificate validation failed. Unable to connect to the service provider.
Certificate validation failed. Authentication failed because the remote party has closed the transport stream.
Solution
Veeam Support engineers are only able to assist with isolation of certificate problems. Veeam Support is unable to assist in generating, altering, importing, exporting, or installing SSL certificates. For more information on certificate processes, please refer to your SSL certificate provider.
The following is a list of common causes.
- The connection to the Service Provider Gateway(s) cannot be made with the default port TCP 6180.
Ensure TCP/UDP port 6180 is allowed outbound from the tenant environment (for stateful firewalls only). If the firewall is stateless, a static rule will need added for the return traffic. Similar firewall exceptions with TCP/UDP 6180 need to be applied in the provider's firewall for traffic that is destined for each Cloud Connect Gateway. Additionally, please note that tenant proxies or repositories will connect directly to the Cloud Connect Gateways during job runs.
- The certificate is expired and needs renewed.
- The certificate was incorrectly keyed during the CSR process and needs re-keyed or the private key is missing entirely.
Ensure the certificate with the private key is installed in the Service Provider Cloud Connect server. It does not need to be installed in the Cloud Connect Gateways if they are separate servers. The issued certificate with the private key will be a file with a .pfx extension.
If your SSL certificate provider asks you to generate the PFX file using a private key you have generated as opposed to one they provide, it will be considered a security risk and will not be a supported configuration. - The certificate chain has not been fully installed in the Service Provider Cloud Connect server and the chain of trust cannot be found. The connection to the Service Provider Cloud Connect server will not be authenticated unless the Tenant Veeam server can validate a certificate ending in a Root CA certificate.
Ensure the certificate chain is installed in the Service Provider Cloud Connect server, which includes subordinate (intermediate) and root CA certificates. Often the SSL certificate provider will include the chain in a separate file with a p7b extension.
- The Cloud Connect Gateway(s) cannot resolve (with DNS) the Cloud Connect Server or the Cloud Connect Gateways cannot communicate internally or via the DMZ to the Cloud Connect Server.
Ensure DNS can be resolved for the Cloud Connect Server from all Cloud Connect Gateways. Disable any gateways that are not going to be used.
- In some cases, a firewall will have a type of adaptive security that filters SSL\TLS traffic. For example, some names for this are “deep packet inspection” (dpi), packet inspection, or SSL\TLS inspection. The usage of these features creates a Man-in-the-Middle scenario with the firewall and can cause issues when the certificate is exchanged to the Tenant Veeam Server.
- Some newer certificate formats are only supported in 9.5 update 2 or later, for example, Microsoft Software Key Storage Provider.
More Information
For more information on Certificate Signing Request (CSR) please read:https://www.veeam.com/blog/generate-and-install-ssl-certificates-on-microsoft-windows.html
For more information concerning Veeam Cloud Connect component communication and the ports used, please refer to the user guide section below.
https://helpcenter.veeam.com/docs/backup/cloud/ports.html?ver=95
For information regarding the most recent version of Veeam Backup & Replication:
https://www.veeam.com/updates.html