Veeam: How to Secure your Veeam Backup for Microsoft Azure instance with a Let’s Encrypt SSL certificate

Greetings friends, a few weeks ago I was showing you everything we need to know about Veeam Backup for Microsoft Azure, in case you haven’t been paying attention, I’m posting the blog series here (in Spanish):

This whole series is very complete and I hope you like it. Today I bring you one more step on how to correctly secure our instance of Veeam Backup for Microsoft Azure.

To do this we will rely on Let’s Encrypt, the famous open-source project that allows us to generate free SSL certificates.

NOTE: This process is not officially supported by Veeam, and any consequence of following the steps incorrectly, or any incidence derived from these steps will leave us without support. We will have to deploy the appliance again, keep that in mind!

Installation of system requirements

To make it all work we’re going to need a couple of packages to do all this automatically:

  • jq
  • The necessary Let’s Encrypt packages

To install jq, we will launch the following command:

sudo apt-get install jq -y

Once we have jq, we will now install the Let’s Encrypt packages, which is as simple as launching the following:

cd /root
curl | sh

This will create the following directory with the following in it:

ls -lah
total 240K
drwx------ 8 root root 4.0K May 15 10:44 .
drwx------ 5 root root 4.0K May 15 12:32 ..
-rw-r--r-- 1 root root  345 May 15 12:33 account.conf
-rwxr-xr-x 1 root root 193K May 15 09:36
-rw-r--r-- 1 root root   78 May 15 09:36
drwxr-xr-x 3 root root 4.0K May 15 10:44 ca
drwxr-xr-x 2 root root 4.0K May 15 09:36 deploy
drwxr-xr-x 2 root root 4.0K May 15 09:36 dnsapi
-rw-r--r-- 1 root root  332 May 15 14:49 http.header
drwxr-xr-x 2 root root 4.0K May 15 09:36 notify

We’re all set. Let’s move on to the next step.

Download, and configure the script

I have created a script that what it really does is combine with the Let’s Encrypt Script, and install the SSL Certificate in Veeam Backup for Azure, which needs to be converted to .pfx in base64, but this does all the script, we will download it from here, I would put it in /root too, or in the same folder where we have downloaded Let’s Encrypt:

There are a few parameters to be set, but they are not difficult, let’s see them here:

  • veeamDomain: This is the FQDN of your VBA, for example –
  • veeamSSLPassword: A password to encrypt the .pfx certificate
  • veeamUsername: The user with access to the Veeam Backup for Microsoft Azure RESTFul API
  • veeamPassword: The password for the user with access to the Veeam Backup for Microsoft Azure RESTFul API
  • veeamBackupAzureServer: The Public IP of the Veeam Backup for Azure
# Configurations
# Endpoint URL for login action
veeamSSLPassword="YOURVEEAMSSLPASSWORD" #Introduce a password that will be use to merge the SSL into a .PFX
veeamBackupAzurePort="443" #Default Port

Once we have everything filled in, we can exit the text editor and continue with the next step.

Launching Let’s Encrypt and getting a SSL certificate

Now that we have our script ready, and also Let’s Encrypt, it’s time to launch the Let’s Encrypt command, as you know, the command can be launched with several verification modes, in this case, I’m going to use Cloudflare, but it would also work with standalone, etc. See more here about the methods there are:

The script I created will look inside /root/, so as long as everything is in this directory, it will work, let’s see how I used Cloudflare.

cd /root
export CF_Email="[email protected]" # La direccion email que usamos en CloudFlare --issue -d YOURBA.DOMAIN.COM --dns dns_cf --reloadcmd "/root/" --force

To know your Key de Cloudflare, here where you can find it

Once we launch this command well, we will be able to see a result similar to this:

[Fri May 15 12:32:56 UTC 2020] Single domain=''
[Fri May 15 12:32:56 UTC 2020] Getting domain auth token for each domain
[Fri May 15 12:32:58 UTC 2020] Getting webroot for domain=''
[Fri May 15 12:32:58 UTC 2020] is already verified, skip dns-01.
[Fri May 15 12:32:58 UTC 2020] Verify finished, start to sign.
[Fri May 15 12:32:58 UTC 2020] Lets finalize the order, Le_OrderFinalize:
[Fri May 15 12:32:59 UTC 2020] Download cert, Le_LinkCert:
[Fri May 15 12:33:00 UTC 2020] Cert success.
[Fri May 15 12:33:00 UTC 2020] Your cert is in  /root/ 
[Fri May 15 12:33:00 UTC 2020] Your cert key is in  /root/ 
[Fri May 15 12:33:00 UTC 2020] The intermediate CA cert is in  /root/ 
[Fri May 15 12:33:00 UTC 2020] And the full chain certs is there:  /root/ 
[Fri May 15 12:33:00 UTC 2020] Run reload cmd: /root/
Your Veeam Backup for Azure SSL Certificate has been replaced with a valid Let's Encrypt one. Go to
[Fri May 15 12:33:00 UTC 2020] Reload success

And if everything has gone well, we will have the little message that tells us that we can go to our https://YOURFQDN, if we go we can finally see the next thing:

If we expand the SSL Certificate, we will be able to see which FQDN has assigned this SSL Certificate to us:

How to schedule the automated renewal to run every 90 days

These SSL Certificates expire every 90 days, so we can schedule it with the next command, and have a valid SSL certificate forever, as long as this scheduled task is executed:

* * */89 * * --issue -d VUESTROVBA.DOMINIO.COM --dns dns_cf --reloadcmd "/root/" --force > /var/log/syslog

With this, we’d be all set. Leave comments and ideas in the comments. Thank you for reading it.

Author: jorgeuk

Father, writing in and Blogger, Systems Engineer @veeam - vExpert 2014/2020 & NTC 2018/19

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.