Backblaze certificate no longer accepted

Recently, I’ve started receiving errors when backing up to Backblaze.

Using latest Vertical Backup 1.4.3 on ESXi 6.5 with latest security patches.

2021-12-03 10:01:32.370043 INFO PROGRAM_VERSION Vertical Backup 1.4.3
2021-12-03 10:01:33.368609 WARNING B2_CALL Failed to send request post https://api.backblazeb2.com/b2api/v1/b2_authorize_account: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
2021-12-03 10:01:34.530926 WARNING B2_CALL Failed to send request post https://api.backblazeb2.com/b2api/v1/b2_authorize_account: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

This seems to be related to them getting a new Let’s Encrypt certificate recently:

 michael@brincess      ~/      curl https://api.backblazeb2.com/b2api/v1/b2_authorize_account -v
*   Trying 206.190.215.15:443...
* Connected to api.backblazeb2.com (206.190.215.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=backblazeb2.com
*  start date: Nov 30 02:22:14 2021 GMT
*  expire date: Feb 28 02:22:13 2022 GMT
*  subjectAltName: host "api.backblazeb2.com" matched cert's "*.backblazeb2.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Let’s Encrypt “recently” switched to no longer cross-signing their certificates with the now-expired DST Root CA X3, so that might be related too.

I have also run into this issue. Quite annoying since I just switched to Backblaze for my backups :roll_eyes:

1 Like

Any update on this?

It seems the certificates are embedded in the verticalbackup executable and extracted on each run (ignoring the host CA roots), so I cannot see a proper workaround I can put in place myself, nor can I see an option to temporarily ignore certificate checks to work around the issue while it gets fixed.

This is a pretty serious deficit preventing any backup/restore/backup management for over two weeks now.

Vertical Backup uses requests to make https connections. You can change the default CA certs by setting REQUESTS_CA_BUNDLE:

export REQUESTS_CA_BUNDLE=\path\to\cacert.pem

I would suggest downloading the latest cacert.pem file from https://curl.se/docs/caextract.html.

1 Like

Thanks, seems to be working!

This worked for me as well.

The export command doesn’t seem to be a permanent fix though. When I try to run a backup again on a new SSH session to my ESXi host it fails and I need to run the export command again to fix it. @ghcen is there a way to permanently fix this?