...
BugZero found this defect 271 days ago.
When using Chrome or Edge to load the web page for Veeam ONE Web Client, Veeam Service Provider Console, or Veeam Backup Enterprise Manager, the page fails to load with the error: ERR_SSL_KEY_USAGE_INCOMPATIBLE
This error occurs when the certificate the site uses has KeyUsage values defined, but either the value Digital Signature or Non-Repudiation is not specified. One potential cause for these values to be missing is if the self-signed SSL certificate in use was reused from an older version of the product during an upgrade. Default "Veeam ONE Website self-signed certificate" History In Veeam ONE 10a and older, the self-signed certificate generated by the installer was created with the following:KeyUsage: Key Encipherment, Data Encipherment In Veeam ONE 11, the self-signed certificate generated by the installer was created with the following:KeyUsage: Digital Signature, Key Encipherment, Data Encipherment Starting in Veeam ONE 11a, the self-signed certificate generated by the installer is created with:KeyUsage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment This means that this issue will occur if a Veeam ONE deployment was initially installed with version 11 or earlier and then upgraded to newer versions using the same self-signed certificate. Default Veeam Service Provider Console "Veeam Self-Signed Certificate" History In Veeam Service Provider Console 5 and older, the self-signed certificate generated by the installer was created with the following:KeyUsage: Key Encipherment, Data Encipherment Starting in Veeam Service Provider Console 6, the self-signed certificate generated by the installer is created with:KeyUsage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment This means that if a Veeam Service Provider Console deployment was initially installed with version 5 or earlier and then upgraded to newer versions using the same self-signed certificate, the issue will occur. Default Veeam Backup Enterprise Manager "Veeam Self-Signed Certificate" History In Veeam Backup Enterprise Manager 10a and older, the self-signed certificate generated by the installer was created with the following:KeyUsage: Key Encipherment, Data Encipherment Starting in Veeam Backup Enterprise Manager 11, the self-signed certificate generated by the installer has no KeyUsage specified, meaning all uses are accepted. This means that the issue will occur if a Veeam Backup Enterprise Manager deployment was initially installed with version 10a or earlier and then upgraded to newer versions using the same self-signed certificate.
To resolve this issue, either generate a new Veeam self-signed certificate or import a new certificate you've generated, and then assign the new certificate to the site within IIS Manager.
Veeam ONE Web API Certificate In addition to updating the SSL Certificate used for the Veeam ONE Web Client in IIS, it is also recommended to ensure that the certificate used for Veeam ONE Web API also has the KeyUsage entries for Digital Signature and Non-Repudiation. If the Veeam ONE Web API certificate is found to be missing these values, a new certificate can be generated using the Veeam ONE Setting Utility. Note: The Veeam ONE Web API self-signed certificate and Veeam ONE Website self-signed certificate are used for different functions, and the generate option in the Veeam ONE Setting Utility will only generate a new Veeam ONE Web API self-signed certificate. Check Current Web API Certificate Within the Veeam ONE Setting Utility, click the View button on the Web API Certificate tab in the Server section to review the current installed Web API Certificate.