"Failed to retrieve certificate" - Error When Interacting With Cloud Storage
| KB ID: | 4328 |
| Product: | Veeam Backup & Replication | 10 | 11 |
| Published: | 2022-06-23 |
| Last Modified: | 2022-06-23 |
Challenge
When adding an Object Storage Repository or interacting with an existing Object Storage Repository the following error occurs:
Failed to retrieve certificate from ...
The format of the error is different for each type of Object Storage Repository:
Region: Azure Global (Standard)
Note that the Azure endpoint URL is not detailed in the error when adding/interacting with Azure storage using the Azure Global Region. When using Azure Gov or Azure China, the error will contain the entire endpoint URL, as seen with AWS or S3-Compatible. To identify the specific Azure endpoint URL when using the Azure Global Region, check the Azure management portal or review the log investigation advice in the More Information section of this article.
Below are examples of this same "Failed to retrieve certificate" error occurring during an Offload task and when editing a Scale-Out Backup Repository.
Solution
This error occurs because the Veeam software could not retrieve and verify the certificate from the cloud storage endpoint.
Review the Used Ports section of the User Guide and ensure proper communication with object storage repositories.
Most Common Causes
- DNS
Ensure that the Veeam Backup Server and any configured Gateway server can resolve and reach the object storage endpoints. - Firewall
Review relevant firewalls in the environment to ensure that the Veeam Backup Server and any configured Gateway server are permitted to reach the endpoints via the required ports.
- General Internet Connection Issue
If the issue is not related to the above, contact your Internet Provider to check if there are any network drops.
Edge Case
Though rare, several Veeam Support cases have been closed by the customer after they reported that they determined that their security firewall was interfering with or tampering Customer's comment to Veeam Support: "We have excluded all of the Veeam hosts from decryption in our firewall, and the issue is no longer happening."with the certificates that the Veeam software was requesting. Those security firewalls either prevented the certificate from being received or modified the certificate preventing Veeam Backup & Replication from validating them.
More information
When the cerificate error occurs while attempting to add the Object Storage Repository, the certificate retrieval is recorded in the following log file on the Veeam Backup Server:
C:\ProgramData\Veeam\Backup\Satellites\<VeeamServer>\<console_account>\Satellite_Console.log
<VeeamServer> = hostname or FQDN of the Veeam Backup Server
<console_account> = account used to open the Veeam Backup & Replication Console.
Log Example:
Info [PublicCloudCertificateLoader] Loading certificate for 'DefaultEndpointsProtocol=https;AccountName=kb4328'
Info [AP] (2730) command: 'Invoke: Network.RetrieveSslCertificate { (EString) HostName = kb4328.blob.core.windows.net; (EInt32) Port = 443; }'
Info [AP] (2730) output: <VCPCommandResult result="false" exception="resolve: The requested name is valid, but no data of the requested type was found
Agent failed to process method {Network.RetrieveSslCertificate}." />
Info [AP] (2730) output: >
Error resolve: The requested name is valid, but no data of the requested type was found (Veeam.Backup.Common.CCppComponentException)
Error Agent failed to process method {Network.RetrieveSslCertificate}. (Veeam.Backup.Common.CCppComponentException)
To simplify finding the endpoint information, search the Satelite log for:
command: 'Invoke: Network.RetrieveSslCertificate { (EString)
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.