Veeam Cloud Connect Certificate Validation Errors

Recently LetsEncrypt reported the Root CA was set to expire.

Even though this was a planned occurrence, it still caused some issues with some customers, and certificate validation errors were still rarely occurring after the re-generation of new SSL certificates.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

We recently found a select few tenants continue to have certificate validation issues when targeting a Cloud Connect environment using LetsEncrypt SSL certificates.

Due to a history of working with Cloud Connect and other SSL certificate issues with providers in the past. There is a workaround for any validation issues whilst troubleshooting is been implemented.

The below registry key allows a tenant’s VBR server to skip the certificate validation and allows access to the target SP Cloud Connect environment.

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\

 Add registry key: CloudConnectCRLCheckMode

Value: 2

DWORD

In our specific case, we found that the root cause was the updated CRL URLs and specifically SonicWALL firewalls. The Sonicwalls were blocking access to the CRL URLs and not allowing validation.

http://x1.c.lencr.org/

http://x1.i.lencr.org/

The URLs below, once allowed on the firewall allowed the download of the required certificates, and the errors within Veeam were resolved.

We hope this saves some troubleshooting time for anyone impacted in the future.