Challenge
Adding an Amazon S3 object storage repository may fail with the following error: "Failed to load Amazon S3 Compatible configuration: Failed to establish connection to Amazon S3 Compatible endpoint. See logs for details."By default, in the log %programdata%\Veeam\Backup\Satellites\BackupServer\User\Agent.PublicCloud.Satellite.log the following entries are present:
[15.06.2020 11:00:00] < 5836> net| Retrieving certificate for s3.amazonaws.com:443 ok.
[15.06.2020 11:00:00] < 5836> cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[15.06.2020 11:00:00] < 5836> cli| Result
[15.06.2020 11:00:00] < 5836> cli| (EString) Certificate = -----BEGIN CERTIFICATE-----
....
[15.06.2020 11:00:00] < 5836> cli| -----END CERTIFICATE-----
[15.06.2020 11:00:00] < 5836> cli|
[15.06.2020 11:00:00] < 5836> cli| (EBoolean) IsTrusted = true
[15.06.2020 11:00:00] < 5836> cli| AmazonRest.S3.TestConnection
[15.06.2020 11:00:00] < 5836> cli| (EGuid) ClientId = {abcf50ec-e8a7-4cd7-a186-22fa9447c676}
[15.06.2020 11:00:00] < 5836> cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[15.06.2020 11:00:00] < 5836> aws| Creating HTTP client. API URI: [https://s3.amazonaws.com]
[15.06.2020 11:00:00] < 18772> aws| WARN|HTTP request failed, retry in [1] seconds, attempt number [1], total retry timeout left: [5] seconds
[15.06.2020 11:00:00] < 18772> aws| >> |WinHttpSendRequest: 12175: A security error occurredCause
One of the most likely reasons is that Amazon certificate revocation status cannot be verified.To verify the certification revocation status, Veeam server or Veeam gateway server must have an access to internet, and the following certificate revocation lists (CRL) must be accessible:
- http://crl3.digicert.com/Omniroot2025.crl,
- http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl,
- http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl
- If Veeam backup server or dedicated gateway server has access to the Internet and above-mentioned CRL files can be successfully downloaded, open a ticket with technical support to investigate the problem further.
- If Veeam backup server or dedicated gateway server doesn't have access to the Internet (the access was restricted intentionally), see the Solution section.
Solution
To disable Amazon S3 certificate revocation verification, set registry tweak on configured Amazon S3 gateway server ("Use the following gateway server" option in the object storage properties):
- Download the hotfix file:
- For v10 P1: kb3215_HF1.zip from attachments
- For v10 P2: kb3215_HF2.zip from attachments
- Backup or rename original VeeamAgent.exe under the paths (default installation path):
- C:\Program Files (x86)\Veeam\Backup Transport\x64
- C:\Program Files (x86)\Veeam\Backup Transport\x32
- Replace C:\Program Files (x86)\Veeam\Backup Transport\x64\VeeamAgent.exe and C:\Program Files (x86)\Veeam\Backup Transport\x86\VeeamAgent.exe with relevant files (names and paths are matching) from downloaded hotfix package.
- Create registry record:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication' in Veeam Backup and Replication server registry Value type: DWORD Value name: S3TLSRevocationCheck Value: 0
- Restart the Veeam server.
More Information
[[DOWNLOAD|DOWNLOAD HOTFIX FOR 10 PATCH 1|https://www.veeam.com/download_add_packs/vmware-esx-backup/kb3215]] MD5: af88fbdbb98fbed29bfd07c1b5f64c68SHA-1: 5cd01325d3c87a3c833ed6e926364d86f6e96ffe
[[DOWNLOAD|DOWNLOAD HOTFIX FOR 10 PATCH 2|https://www.veeam.com/download_add_packs/vmware-esx-backup/kb3215_1]]
MD5: 17a4fc6d140ae21f0fbf7129c26864ac
SHA-1: 216e1bb90281bddbc36064718ecf334403de4015