I tried to add my certificate according to this page: https://helpcenter.veeam.com/docs/backup/hyperv/import_tls_pfx.html?ver=120
Now VeeamBackupSvc service is not starting showing 1064 error and obviously I can’t use Console to create new self-signed certificate as a workaround. It’s B&R version 10a so I cannot Repair installation - there’s no such option in the installer.
How can I fix this?
Best answer by coolsport00
View original
+17
Honestly
+5
I tried to add my certificate according to this page: https://helpcenter.veeam.com/docs/backup/hyperv/import_tls_pfx.html?ver=120
Now VeeamBackupSvc service is not starting showing 1064 error and obviously I can’t use Console to create new self-signed certificate as a workaround. It’s B&R version 10a so I cannot Repair installation - there’s no such option in the installer.
How can I fix this?
Hello, hope you are fine !
Can you share with us some prints of the error ?
There is such string in logs, could it be a key to the solution? How can I inject the key in the current installation?
[04.08.2023 15:29:54] <04> Error It is likely that certificate may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. (System.ArgumentException)
Here’s the full portion of log file mentioning Error
It is likely that certificate may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. (System.ArgumentException)
at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
at System.ServiceModel.Channels.SslStreamSecurityUpgradeProvider.CreateServerProvider(SslStreamSecurityBindingElement bindingElement, BindingContext context)
at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener..ctor(ConnectionOrientedTransportBindingElement bindingElement, BindingContext context)
at System.ServiceModel.Channels.TcpChannelListener..ctor(TcpTransportBindingElement bindingElement, BindingContext context)
at System.ServiceModel.Channels.TcpTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
at System.ServiceModel.ServiceHostBase.InitializeRuntime()
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at Veeam.Backup.Service.CRemoteInvokeServiceHolder..ctor(String ipOrDns, Int32 port, CVbServiceManagers managers)
at Veeam.Backup.Service.CVbServiceImpl.InitSslServerChannel(CVbServiceManagers mngrs, CDisposableList disposableObjects)
at Veeam.Backup.Service.CVbServiceImpl..ctor(CVbEnvironment env, CTerminationMediator terminator)
at Veeam.Backup.Service.CVeeamBackupSvc.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.ServiceProcess.ServiceBase.Run(ServiceBase[] services)
at Veeam.Backup.Service.Program.Main(String[] args)
+20
There is such string in logs, could it be a key to the solution? How can I inject the key in the current installation?
[04.08.2023 15:29:54] <04> Error It is likely that certificate may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. (System.ArgumentException)
This would be if you created the certificate externally and didn’t import the private key, you’ll need to reimport the certificate (which keeps the thumbprint etc identical for Veeam to read) with the private key imported too.
If you imported it and it did have a private key, then as the error says, Veeam might not have permission to access the private key, do you know what certificate store you imported it into? Was it User, service, or Machine?
As for the forums.veeam.com link, that’s an R&D forum, so it’s not actually a support forum either, you should raise a case against your license in the Veeam portal.
+17
Hi
That being said, according to your log message, did you have a password associated with your cert when you imported it? When you created your cert, did you have both a public & private key created?
do you know what certificate store you imported it into? Was it User, service, or Machine?
I’m sorry, I don’t know it. I imported it here
Then it hanged up for like 20 minutes, then I close everything and finished here.
you’ll need to reimport the certificate (which keeps the thumbprint etc identical for Veeam to read) with the private key imported too
How can I achieve that?
When you created your cert, did you have both a public & private key created?
I have both cer and key files. But since service is not starting, B&R console can’t start too. So I can’t import certificate from Console’s menu. Do you know any other way to import certificate to Veeam software?
+17
If I come up with a way to reimport, I’ll let you know.
I don’t know how exactly it helped, because it still shows now that B&R uses self-signed certificate, but it finally runs! I converted my cer+key pair to PFX and put it into Personal certificates of the Local Computer.
Thanks for the help by pointing that Veeam uses OS embedded key storage!
+17
At this point, I suggest opening a case.
+17
Well, glad it’s now working for you. I suggest to test everything out to make sure all is well.
Cheers.
The thing i messed with certificates is I wanted to suppress the warning on adding ESXI to B&R. Thing is when I open ESXI’s Web-UI through the web-browser, it says my certificate is valid. But B&R keeps saying something wrong with the name.
Do you know any solution for this to make B&R fine with ESXI’s certificate? I’m asking here because really don’t want to spam threads here.
+17
I honestly am not 100% sure. If I had to guess (and this is just a guess), although your cert is valid on your ESXi Host via browser, this only means all certs (cert > Intermediate > Root) are trusted on the machine you connect to your ESXi Host from, which means they’re all in the local Cert Store on that machine. If your VBR Server doesn’t have all certs for every ESXi Host in your local Cert Store on the VBR Server, this may be the reason for the untrusted cert warning message you see when adding Hosts to VBR. And, I think my interpretation is correct, according to Veeam’s User Guide on adding vSphere Hosts
Thanks for the reply, I’ve checked the link! Sadly, nothing tells me where the error ‘Remote certificate name mismatch’ originates from.
all certs (cert > Intermediate > Root) are trusted on the machine you connect to your ESXi Host from
your VBR Server doesn’t have all certs for every ESXi Host in your local Cert Store on the VBR Server
It’s the same PC. I actually wanted to show it with the screenshot, where two windows of the browser and the VBR Console come side-by-side. This confuses me, why all the local certificates are enough for the browser but aren’t for VBR.
+17
Hi
+7
Thanks for the reply, I’ve checked the link! Sadly, nothing tells me where the error ‘Remote certificate name mismatch’ originates from.
all certs (cert > Intermediate > Root) are trusted on the machine you connect to your ESXi Host from
your VBR Server doesn’t have all certs for every ESXi Host in your local Cert Store on the VBR Server
It’s the same PC. I actually wanted to show it with the screenshot, where two windows of the browser and the VBR Console come side-by-side. This confuses me, why all the local certificates are enough for the browser but aren’t for VBR.
When you generated the Certs, did you specify a san:dns= attribute?
When you generated the Certs, did you specify a san:dns= attribute?
Yes, I did. I didn’t specify CN though, maybe that’s the problem, but wasn’t able to check since left everything up and running as is.
+7
Let us know how you get on
Ok so i am just adding this here because search engine takes me here when i look up the same error about certificates not having access to the private key.
I had a pretty unique situation, but maybe it will help. I was migrating the veeam VM from an old linux based hypervisor called QEMU. I used vmware converter to migrate it to esxi. But after i did it, i got this error and the service would not start. Turns out that uninstalling the QEMU tools somehow corrupted the certificate, so it no longer had any private key attached. It would then come up and say it could not manage private keys for the “veeam backup server certificate” because “no keys found for certificate!”.
I went back to the old server (pre migration), found the certificate in certificate store and exported as a PFX file. I was able to export the private key as well. Then i simply imported the pfx file to the new server, rebooted and veeam now starts and runs fine. I am not sure how you would get around this if you didnt have the key, or a way to export it, so i got really lucky here. Just passing it on incase it helps someone, even though my situation is not common at all…. Its also very hard to find the old 9.5 isos, apparently i have to contact support, but our support expired some years ago.
If you right click on the certificate, try to manage private keys, and it says “no private keys found for certificate!” you are somewhat screwed. I even tried a reinstall from the 9.5.4.2886 iso that i had but that did not work either.
+7
Thanks for including your info
Might come in handy for someone with a similar issue in the future
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
