#1 Global Leader in Data Resilience

Error "Failed to establish connection to Amazon S3 endpoint" or "Azure Cloud connection has returned an untrusted certificate."

KB ID: 3215
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2
Published: 2020-06-30
Last Modified: 2023-10-20
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Challenge

When attempting to add an Object Storage Repository or use an existing Object Storage Repository the following errors occur:

  • Connection to Amazon S3 object storage fails with the following error:
    Failed to load Amazon S3 Compatible configuration: Failed to establish connection to Amazon S3 Compatible endpoint. See logs for details.
    
S3 Log Example
By default, in the log %programdata%\Veeam\Backup\Satellites\BackupServer\User\Agent.PublicCloud.Satellite.log the following entries are present:
net| Retrieving certificate for s3.amazonaws.com:443 ok.
cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
cli| Result
cli| (EString) Certificate = -----BEGIN CERTIFICATE-----
....
cli| -----END CERTIFICATE-----
cli|
cli| (EBoolean) IsTrusted = true
cli| AmazonRest.S3.TestConnection
cli| (EGuid) ClientId = {abcf50ec-e8a7-4cd7-a186-22fa9447c676}
cli| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
aws| Creating HTTP client. API URI: [https://s3.amazonaws.com]
aws| WARN|HTTP request failed, retry in [1] seconds, attempt number [1], total retry timeout left: [5] seconds
aws| >> |WinHttpSendRequest: 12175: A security error occurred
  • Connection to Azure storage fails with the following error:
    Azure Cloud connection has returned an untrusted certificate.
    
Azure Log Example
Info     [PublicCloudCertificateLoader] Retrieved untrusted certificate from DefaultEndpointsProtocol=https;AccountName=<account>
Info [PublicCloudCertificateLoader] Certificate is not the part of the local chain. Validating.
Warning [CertificateError] Validation complete with warnings:
Warning Remote certificate chain errors:
Warning RevocationStatusUnknown (The revocation function was unable to check revocation for the certificate.)
Info [PublicCloudCertificateLoader] Validation result: certificate is untrusted
Error Failed to connect to Azure External configuration (region = 'AzureCloud', CredsId = <guid>)
Error Azure Cloud connection has returned an untrusted certificate. (System.Exception)

Cause

This issue occurs when the machine accessing the object storage has insufficient internet access to verify that the certificate used by the object storage has not been revoked in the CA's CRL (Certificate Revocation List).

Solution

Identify the Machine Initiating the Connection to the Object Storage

To troubleshoot the certificate errors, you must first determine which machine attempted to initiate the connection with the object storage. Check the connection mode settings for the object storage repository. An Object Storage repository's connection type can be configured for 'Direct' or 'Through a gateway server'; the default is Direct.

As explained in the Connection Type window:

  • Direct - Backup proxies and agents will connect directly to object storage.

    In this case, agents also refers to products like Veeam Agent for Microsoft Windows and Veeam Agent for Linux.

    For the Direct mode, ensure backup proxies and backup agents have direct network access to object storage.
  • Through a gateway server - The backup server will automatically determine the most suitable gateway server from the list.
Connection Mode
Connection Type

Ensure Connectivity for Certificate Validation

User Guide: Certificate Validation and Revocation Information

 To verify the certificate revocation status, the machine connecting to the object storage must:

  1. have access to the internet
  2. be able to access the following certificate revocation lists (CRL):
    Addtional CRL files may be refrenced by the SSL certifcate itself, check the certificate details for more information.
If the connectivity errors continue to occur after you have verified access to the Certificate Revocation Lists (CRL) on the machine connecting to the object storage, open a case with Veeam Support.

Testing CRL Retrieval (Windows)

The following steps will document how to use the native certutil tool to test for access to the CRL files.

Note: If the Veeam Backup Service has been configured to use an account other than the default "Local System," the certutil tests must be performed using the account assigned to the Veeam Backup Service. Or, in the case of Veeam Agent for Microsoft Windows, check the account used by the Veeam Agent for Microsoft Windows service. 

 

In a Command Prompt or Windows PowerShell window, perform the following steps for each CRL to test the ability to retrieve them.

  1. Enter the following command, replacing <crl_URL> with the CRL file's URL.
certutil -url <crl_URL>
  1. Within the URL Retrieval Tool that opens, click Retrieve
CRL Retrieve
  1. Note the status that is reported
CRL Retrieve OK
The CRL was Retrieved Successfully
CRL Retrieve Failed
The CRL Retrieval Failed

Testing CRL Retrieval (Linux)

The following documents how to use wget to test for access to the CRL files.

Execute the following command for each CRL to test the ability to retrieve them.
replacing <crl_URL> with the CRL file's URL.

wget <crl_URL>

Example of successful connection:

backupsvc@gateway:~$ wget http://crl3.digicert.com/Omniroot2025.crl
--2022-07-11 20:42:32--  http://crl3.digicert.com/Omniroot2025.crl
Resolving crl3.digicert.com (crl3.digicert.com)... 72.21.91.29
Connecting to crl3.digicert.com (crl3.digicert.com)|72.21.91.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7967 (7.8K) [application/pkix-crl]
Saving to: ‘Omniroot2025.crl.4’
Omniroot2025.crl.4  100%[===================>]   7.78K  --.-KB/s    in 0s
2022-07-11 20:42:32 (1.22 GB/s) - ‘Omniroot2025.crl.4’ saved [7967/7967]

Example of failed connection:

backupsvc@gateway:~$ wget http://crl3.digicert.com/Omniroot2025.crl
--2022-07-11 20:41:58--  http://crl3.digicert.com/Omniroot2025.crl
Resolving crl3.digicert.com (crl3.digicert.com)... 72.21.91.29
Connecting to crl3.digicert.com (crl3.digicert.com)|72.21.91.29|:80... failed: Connection refused.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.