129701: Backups Fail with "The certificate is not accepted by the front-end server." after the SSL failed to update on an on-prem GW

7 replies [Last post]
RB
Offline
Beginner
Joined: 2017-04-28
Posts: 5

Hello everyone,

We ran into an intresting problem that I am thinking others may have seen.  

We use Acronis Cloud backup via Kaseya and it sounds like we have a unique situation.  

A month ago, I built two gateway servers.  These servers have been working great, until two days ago, which was exactly a month after they were built.  

The problem we ran into is defined here - https://kb.acronis.com/content/57417

The work-around updated the dates on the SSL certs and looked like we were back in business, nope.  All backups on the on two servers fail.  

 

I ran a re-registration of the clients to see if this helped, nope. 

I ran a port connection test - all good.  

 

Here is the latest log for one of the machines (all 130 others are similar)- 

Error

DATE AND TIME

Apr 27, 2017, 11:03:11 PM

MODULE

309

MESSAGE

Additional info:

------------------------
Error code: 22
Module: 309
LineInfo: 0x8D165E86FB819595
Fields: {"$module":"service_process_vsa64_3917","CommandID":"8F01AC13-F59E-4851-9204-DE1FD77E36B4"}
Message: TOL: Failed to execute the command. Backing up
------------------------
Error code: 22
Module: 309
LineInfo: 0x8D165E86FB819595
Fields: {"$module":"gtob_backup_command_addon_vsa64_3917","CommandID":"8F01AC13-F59E-4851-9204-DE1FD77E36B4"}
Message: TOL: Failed to execute the command. Backing up
------------------------
Error code: 212
Module: 161
LineInfo: 0x0B320396ADFE3EA3
Fields: {"$module":"disk_bundle_vsa64_3917","IsReturnCode":"1"}
Message: Failed to find archive 'redacted'.
------------------------
Error code: 16
Module: 515
LineInfo: 0xDF3CBAD70699540B
Fields: {"$module":"disk_bundle_vsa64_3917"}
Message: Failed to renew certificate, reason is "server doesn't trust our certificate (unknown ca)"
------------------------
Error code: 3
Module: 625
LineInfo: 0x6592A83AA4AE5D21
Fields: {"$module":"disk_bundle_vsa64_3917"}
Message: The certificate is not accepted by the front-end server. The server address has been probably changed. Please retry the operation.

 

 

Has anyone worked through this with Gateway servers before?  Any tips as to what to check into?

Thank you!

 

Evgeny Ryuntyu
Evgeny Ryuntyu's picture
Offline
Acronis Service Providers Support
Joined: 2011-10-19
Posts: 12

Hello RB,

 

My name is Evgeny, I am from Acronis Service Providers Support.

As far as I understand you have faced two issues with backups of some VMs by Acronis Backup Cloud v6.1. 

I will be glad to assist you!

Unfortunately you have not provided your backup account, so I am unable to check the errors from the console and download the system report from the affected Agent machine. The exact cause needs to be narrowed down first.

In order to investigate root cause of the issue, please send an email at mspsupport@acronis.com while providing the account name, the Customer's company name and the affected server. 
A new ticket will be generated and we will take over to assist you further. 

 

Warm Regards,

Evgeny Ryuntyu

Senior Support Specialist – Service Provider Support team | Acronis

Office: +1 781 79 14 486

RB
Offline
Beginner
Joined: 2017-04-28
Posts: 5

Sure thing!  Emailing now. 

 

 

RB
Offline
Beginner
Joined: 2017-04-28
Posts: 5

So I have continued troubleshooting and have done the following - 

Existing agent that fails - 

  • Rebooted servers
  • Checked connectivity
  • Reregister
  • Rebooted client/agent

 Same errors.  Cannot trust the certs

 

On a new client that has never had Backup - 

  • Installed.  No errors
  • Re-registered.  Probably did not need to but I wanted to verify.
  • Machine shows up in Acronis portal
  • Attempt to schedule a simple backup of one file

Fails due to the same cert errors.

 

It seems like there should be a method/process/script/manual procedure to ensure the certs in use on the server are what is expected by the agent and vise versa, but I am not familar enough with the inner workings of the SSL configs on either side.  

Has anyone else worked through rebuilding the certs between the clients and the servers?  

Reto Bättig
Offline
Beginner
Joined: 2017-05-10
Posts: 2

Hello 

Same error here on two different servers. Both Centos 7 and both are Acronis Gateway Servers on which we store some data.
We had this error last week at one of the servers. I wasnt able to fix the error. I registered and rebooted the server multiple times, but the error message still apears. One day later the error disappeared - I dont knew why. 

Today i installed a new client, which stores his data on the second server. When i wanna access the cloud storage i get the same error message "he certificate is not accepted by the front-end server". Then i again registred the Server againt and rebooted the device. The error still apears...

Already an edit while im writing this: 10 minutes later the error message doesent apper anymore. I think maybe you can really "fix" the error when you register the Gateway Server new. But after this it always need some time..

 

RB
Offline
Beginner
Joined: 2017-04-28
Posts: 5

By chance, did your servers just turn 1 month old since install?  Our cert after install was for a month.  After re-reg, it looks like it is good for a year.  I added chron jobs to re-run the command again in 11 months and then every 12 months after that to avoid the failed ssl update in the future.

 

I was able to re-register the servers again, but with the port specified to the port we are using.  We use two different ports for incoming servers to share the IP/bandwidth of our primary connection so this created some confustion with the re-register command.  

 

Also learned that the variables the command needs are directly tied to the storage config at baas.acronis.com so make sure the command has the right url:port, user name, and UID for the storage.  

 

On top of this, I was told by Acronis Support that the gateway servers are basically EOL and we should move to their on-prem cloud with Acronis Storage 2.0.   I have built this in a test env, but the overhead of the needed number of machines can be daunting for a small shop.  

RB
Offline
Beginner
Joined: 2017-04-28
Posts: 5

Two more things I needed to do -

On the client, I scrioted a deletion of the "default" folder where the cert is instaled.  

Then we scripted re-registering the clients.  The "Default" folder was rebuilt automatically when re-registering the clients.

I am not 100% sure if this was needed, but it seemed to help.

 

Reto Bättig
Offline
Beginner
Joined: 2017-05-10
Posts: 2

Sorry that i answer that late. 

After the first month you get this error "slv3 alert certificate expired" and then there is the workaround from Acronis, which you can find for example here (https://kb.acronis.com/content/57417). Like you i also created some cronjobs, which get executed every month. Some Certs are just valid for an moth i think.

But the error message you spoke about was this "The certificate is not accepted by the front-end server". And i got this error after the certs got renewed with my cronjob. But like we said, with a little patience the error disappears.