Veeam: How to Secure your Veeam Backup for Microsoft Azure instance with a Let’s Encrypt SSL certificate

Greetings friends, a few weeks ago I was showing you everything we need to know about Veeam Backup for Microsoft Azure, in case you haven’t been paying attention, I’m posting the blog series here (in Spanish):

This whole series is very complete and I hope you like it. Today I bring you one more step on how to correctly secure our instance of Veeam Backup for Microsoft Azure.

To do this we will rely on Let’s Encrypt, the famous open-source project that allows us to generate free SSL certificates.

NOTE: This process is not officially supported by Veeam, and any consequence of following the steps incorrectly, or any incidence derived from these steps will leave us without support. We will have to deploy the appliance again, keep that in mind!

Installation of system requirements

To make it all work we’re going to need a couple of packages to do all this automatically:

  • jq
  • The necessary Let’s Encrypt packages

To install jq, we will launch the following command:

Once we have jq, we will now install the Let’s Encrypt packages, which is as simple as launching the following:

This will create the following directory with the following in it:

We’re all set. Let’s move on to the next step.

Download, and configure the veeam_azure_ssl.sh script

I have created a script that what it really does is combine with the Let’s Encrypt Script, and install the SSL Certificate in Veeam Backup for Azure, which needs to be converted to .pfx in base64, but this does all the script, we will download it from here, I would put it in /root too, or in the same folder where we have downloaded Let’s Encrypt:

There are a few parameters to be set, but they are not difficult, let’s see them here:

  • veeamDomain: This is the FQDN of your VBA, for example – vba.domain.com
  • veeamSSLPassword: A password to encrypt the .pfx certificate
  • veeamUsername: The user with access to the Veeam Backup for Microsoft Azure RESTFul API
  • veeamPassword: The password for the user with access to the Veeam Backup for Microsoft Azure RESTFul API
  • veeamBackupAzureServer: The Public IP of the Veeam Backup for Azure

Once we have everything filled in, we can exit the text editor and continue with the next step.

Launching Let’s Encrypt and getting a SSL certificate

Now that we have our script ready, and also Let’s Encrypt, it’s time to launch the Let’s Encrypt command, as you know, the command can be launched with several verification modes, in this case, I’m going to use Cloudflare, but it would also work with standalone, etc. See more here about the methods there are:

The script I created will look inside /root/.acme.sh/VUESTROFQDN, so as long as everything is in this directory, it will work, let’s see how I used Cloudflare.

To know your Key de Cloudflare, here where you can find it

Once we launch this command well, we will be able to see a result similar to this:

And if everything has gone well, we will have the little message that tells us that we can go to our https://YOURFQDN, if we go we can finally see the next thing:

If we expand the SSL Certificate, we will be able to see which FQDN has assigned this SSL Certificate to us:

How to schedule the automated renewal to run every 90 days

These SSL Certificates expire every 90 days, so we can schedule it with the next command, and have a valid SSL certificate forever, as long as this scheduled task is executed:

With this, we’d be all set. Leave comments and ideas in the comments. Thank you for reading it.

Author: jorgeuk

Father, writing in https://www.jorgedelacruz.es and https://jorgedelacruz.uk Blogger, Systems Engineer @veeam - vExpert 2014/2020 & NTC 2018/19

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.