Question

Could not establish a trust relationship for the SSL/TLS secure channel


Userlevel 3

Hello, relatively new user to Veeam BU here. I am trying to find the cause of the error below:

The login is to the vCenter Server. So is Veeam complaining about the certificate for the vCenter Server? Where do I start looking at this point, thanks.

 

..ar


10 comments

Userlevel 7
Badge +4

Yes...looks like a vCenter certificate issue. According to a couple Veeam KBs I looked at here and here, if the vCenter cert is less than 2048 bytes, you’ll get that error. Also, if the cert is expired, I think that error will surface. So, check your vCenter cert to verify its validity.

Cheers!

Userlevel 7
Badge +6

The last time I have seen a similar error, the certificate was changed at the vCenter.
To solve this:

  • in the Veeam console go to “Inventory”
  • select your vCenter
  • right click on it and select “Properties”
  • click with “Next” through the pages.
  • At one stage Veeam asks if you want to accept the certificate.
  • select “Yes”

After executing this procedure the problem was solved in my environment.

Userlevel 7
Badge +6

Hi @araczek,

 

Some great answers already, just my bit to add:

  • What version of Veeam are you using?
  • What version of VMware vCenter are you using?
  • Is vCenter an appliance or running on Windows?

 

You can find if your certificates are expired by following this VMware KB article: Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x (2015600) (vmware.com)

Otherwise it could be an issue with TLS version compatibility between your Veeam server and VMware, this would have likely been enforced by a GPO if so, so unless this is part of a large infrastructure where you’ve got a team that would do this, this one is unlikely.

Userlevel 7
Badge +6

The last time I have seen a similar error, the certificate was changed at the vCenter.
To solve this:

  • in the Veeam console go to “Inventory”
  • select your vCenter
  • right click on it and select “Properties”
  • click with “Next” through the pages.
  • At one stage Veeam asks if you want to accept the certificate.

After this the problem was solved in my environment.

These would be the best steps to perform as it typically fixes certificate issues in Veeam.

Userlevel 7
Badge +6

Hi @araczek,

 

Some great answers already, just my bit to add:

  • What version of Veeam are you using?
  • What version of VMware vCenter are you using?
  • Is vCenter an appliance or running on Windows?

 

You can find if your certificates are expired by following this VMware KB article: Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x (2015600) (vmware.com)

Otherwise it could be an issue with TLS version compatibility between your Veeam server and VMware, this would have likely been enforced by a GPO if so, so unless this is part of a large infrastructure where you’ve got a team that would do this, this one is unlikely.

Actually you bring up a really good point here about TLS.  We recently are upgrading vCloud and VMware but needed to upgrade our VBR servers as many were on Win2012R2 and after the VMware upgrades they were failing due to TLS so we move them to Win2019 ahead of any VMware upgrades since we set security on the VMware stack.

Userlevel 3

Thank you all! I remembered something recently and rifled thorugh my emails for an email from my boss about certificates. Sure enough a few weeks ago he renewed the vCenter certificate. I found a discussion on this site that said “go to Backup Infrastructure, select the Vcenter Server, click through the dialogs and click finish. Looks like Inventory now shows all the vm’s. Not exactly sure I saw all of them before.

 

Thank you!

 

...alan

Userlevel 7
Badge +6

Thank you all! I remembered something recently and rifled thorugh my emails for an email from my boss about certificates. Sure enough a few weeks ago he renewed the vCenter certificate. I found a discussion on this site that said “go to Backup Infrastructure, select the Vcenter Server, click through the dialogs and click finish. Looks like Inventory now shows all the vm’s. Not exactly sure I saw all of them before.

 

Thank you!

 

...alan

Glad you were able to fix it.

Userlevel 7
Badge +4

Glad you got it sorted @araczek 

Userlevel 7
Badge +5

Great input from anyone and also for the KB referenced by @coolsport00 .

  • Just to add a little input, this is because of an incorrect TLS version. TLS 1.0 and its predecessor are deprecated and are vulnerable to some well-known security issues such as POODLE and BEAST attack.
Userlevel 7
Badge +5

I would like to share a guide not related to this issue just incase someone wishes learn something.

Comment