Skip to main content

I tried to add my certificate according to this page: https://helpcenter.veeam.com/docs/backup/hyperv/import_tls_pfx.html?ver=120

Now VeeamBackupSvc service is not starting showing 1064 error and obviously I can’t use Console to create new self-signed certificate as a workaround. It’s B&R version 10a so I cannot Repair installation - there’s no such option in the installer.

How can I fix this?

I tried to add my certificate according to this page: https://helpcenter.veeam.com/docs/backup/hyperv/import_tls_pfx.html?ver=120

Now VeeamBackupSvc service is not starting showing 1064 error and obviously I can’t use Console to create new self-signed certificate as a workaround. It’s B&R version 10a so I cannot Repair installation - there’s no such option in the installer.

How can I fix this?

Hello, hope you are fine !

Can you share with us some prints of the error ?


Honestly @pgadmin ...for an issue such as this, I highly recommend you get ahold of Veeam Support. Someone else here may be able to assist, but when dealing with cert security issues, etc, I think it best to go through support to get you back up & going.


There is such string in logs, could it be a key to the solution? How can I inject the key in the current installation?

[04.08.2023 15:29:54] <04> Error    It is likely that certificate may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. (System.ArgumentException)

Here’s the full portion of log file mentioning Error

It is likely that certificate may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. (System.ArgumentException)
   at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
   at System.ServiceModel.Channels.SslStreamSecurityUpgradeProvider.CreateServerProvider(SslStreamSecurityBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener..ctor(ConnectionOrientedTransportBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.TcpChannelListener..ctor(TcpTransportBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.TcpTransportBindingElement.BuildChannelListener.TChannel](BindingContext context)
   at System.ServiceModel.Channels.Binding.BuildChannelListenernTChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Typel] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Veeam.Backup.Service.CRemoteInvokeServiceHolder..ctor(String ipOrDns, Int32 port, CVbServiceManagers managers)
   at Veeam.Backup.Service.CVbServiceImpl.InitSslServerChannel(CVbServiceManagers mngrs, CDisposableList disposableObjects)
   at Veeam.Backup.Service.CVbServiceImpl..ctor(CVbEnvironment env, CTerminationMediator terminator)
   at Veeam.Backup.Service.CVeeamBackupSvc.OnStart(Stringc] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.ServiceProcess.ServiceBase.Run(ServiceBaseS] services)
   at Veeam.Backup.Service.Program.Main(String ] args)

@coolsport00 I finished on this forum because when I try to register at https://forums.veeam.com/ it says my email domain is banned.

@matheusgiovanini do you mean printscreen of service’s error? 

 


There is such string in logs, could it be a key to the solution? How can I inject the key in the current installation?

[04.08.2023 15:29:54] <04> Error    It is likely that certificate may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. (System.ArgumentException)

 

@coolsport00 I finished on this forum because when I try to register at https://forums.veeam.com/ it says my email domain is banned.

@matheusgiovanini do you mean printscreen of service’s error? 

 

This would be if you created the certificate externally and didn’t import the private key, you’ll need to reimport the certificate (which keeps the thumbprint etc identical for Veeam to read) with the private key imported too.

 

If you imported it and it did have a private key, then as the error says, Veeam might not have permission to access the private key, do you know what certificate store you imported it into? Was it User, service, or Machine?

 

As for the forums.veeam.com link, that’s an R&D forum, so it’s not actually a support forum either, you should raise a case against your license in the Veeam portal.


Hi @pgadmin - I mean Veeam Support, not the Veeam Forums. The Forums tend to ask for a Veeam Support Case ID when seeking assistance there. I’m not necessarily discouraging you from using the Community Hub. But, because your backup environment is down, and certificate issues can be a bit tricky, I thought it best to open a Veeam Support ticket to get you back up & running as quick as possible.

That being said, according to your log message, did you have a password associated with your cert when you imported it? When you created your cert, did you have both a public & private key created?


@MicoolPaul

do you know what certificate store you imported it into? Was it User, service, or Machine?

I’m sorry, I don’t know it. I imported it here

Then it hanged up for like 20 minutes, then I close everything and finished here.

you’ll need to reimport the certificate (which keeps the thumbprint etc identical for Veeam to read) with the private key imported too

How can I achieve that?

 

@coolsport00 

When you created your cert, did you have both a public & private key created?

I have both cer and key files. But since service is not starting, B&R console can’t start too. So I can’t import certificate from Console’s menu. Do you know any other way to import certificate to Veeam software?


@pgadmin ...trying to think, but can’t think of any other way to do the reimport without being able to open the Console. Another reason why I suggest opening a ticket Veeam Support. From your screenshot, it looks like the import probably puts the cert in the Personal Cert Store, which you can look/verify if you open certificates.msc.

If I come up with a way to reimport, I’ll let you know.


@coolsport00

I don’t know how exactly it helped, because it still shows now that B&R uses self-signed certificate, but it finally runs! I converted my cer+key pair to PFX and put it into Personal certificates of the Local Computer.

Thanks for the help by pointing that Veeam uses OS embedded key storage!

 


@pgadmin - no..I didn’t suggest importing the cert in the Personal Store. I only suggested to look in the Personal Store as it appeared as if that was the location the cert import via Veeam Console goes to, based on the screenshot you provided (imports into the “local Certificate Store” it says).

At this point, I suggest opening a case.


Well, glad it’s now working for you. I suggest to test everything out to make sure all is well.

Cheers.


@coolsport00 

The thing i messed with certificates is I wanted to suppress the warning on adding ESXI to B&R. Thing is when I open ESXI’s Web-UI through the web-browser, it says my certificate is valid. But B&R keeps saying something wrong with the name.

Do you know any solution for this to make B&R fine with ESXI’s certificate? I’m asking here because really don’t want to spam threads here.


I honestly am not 100% sure. If I had to guess (and this is just a guess), although your cert is valid on your ESXi Host via browser, this only means all certs (cert > Intermediate > Root) are trusted on the machine you connect to your ESXi Host from, which means they’re all in the local Cert Store on that machine. If your VBR Server doesn’t have all certs for every ESXi Host in your local Cert Store on the VBR Server, this may be the reason for the untrusted cert warning message you see when adding Hosts to VBR. And, I think my interpretation is correct, according to Veeam’s User Guide on adding vSphere Hosts


@coolsport00

Thanks for the reply, I’ve checked the link! Sadly, nothing tells me where the error ‘Remote certificate name mismatch’ originates from.

all certs (cert > Intermediate > Root) are trusted on the machine you connect to your ESXi Host from

 

your VBR Server doesn’t have all certs for every ESXi Host in your local Cert Store on the VBR Server

It’s the same PC. I actually wanted to show it with the screenshot, where two windows of the browser and the VBR Console come side-by-side. This confuses me, why all the local certificates are enough for the browser but aren’t for VBR.

 


Hi @pgadmin ...hmm...well, I'm out of ideas then. I thought for sure that could be the reason but I guess not. Maybe a PM in the Forums can shed some light on why that behavior occurs. 


@coolsport00

Thanks for the reply, I’ve checked the link! Sadly, nothing tells me where the error ‘Remote certificate name mismatch’ originates from.

all certs (cert > Intermediate > Root) are trusted on the machine you connect to your ESXi Host from

 

your VBR Server doesn’t have all certs for every ESXi Host in your local Cert Store on the VBR Server

It’s the same PC. I actually wanted to show it with the screenshot, where two windows of the browser and the VBR Console come side-by-side. This confuses me, why all the local certificates are enough for the browser but aren’t for VBR.

 

When you generated the Certs, did you specify a san:dns= attribute?


When you generated the Certs, did you specify a san:dns= attribute?

Yes, I did. I didn’t specify CN though, maybe that’s the problem, but wasn’t able to check since left everything up and running as is.


Let us know how you get on @pgadmin 


Ok so i am just adding this here because search engine takes me here when i look up the same error about certificates not having access to the private key.

 

I had a pretty unique situation, but maybe it will help. I was migrating the veeam VM from an old linux based hypervisor called QEMU. I used vmware converter to migrate it to esxi. But after i did it, i got this error and the service would not start. Turns out that uninstalling the QEMU tools somehow corrupted the certificate, so it no longer had any private key attached. It would then come up and say it could not manage private keys for the “veeam backup server certificate” because “no keys found for certificate!”.

 

I went back to the old server (pre migration), found the certificate in certificate store and exported as a PFX file. I was able to export the private key as well. Then i simply imported the pfx file to the new server, rebooted and veeam now starts and runs fine. I am not sure how you would get around this if you didnt have the key, or a way to export it, so i got really lucky here. Just passing it on incase it helps someone, even though my situation is not common at all…. Its also very hard to find the old 9.5 isos, apparently i have to contact support, but our support expired some years ago.

 

If you right click on the certificate, try to manage private keys, and it says “no private keys found for certificate!” you are somewhat screwed. I even tried a reinstall from the 9.5.4.2886 iso that i had but that did not work either.


Thanks for including your info @pstextractor 

Might come in handy for someone with a similar issue in the future


Comment