Backblaze certificate no longer accepted

klafbang · December 3, 2021, 11:31am

Recently, I’ve started receiving errors when backing up to Backblaze.

Using latest Vertical Backup 1.4.3 on ESXi 6.5 with latest security patches.

2021-12-03 10:01:32.370043 INFO PROGRAM_VERSION Vertical Backup 1.4.3
2021-12-03 10:01:33.368609 WARNING B2_CALL Failed to send request post https://api.backblazeb2.com/b2api/v1/b2_authorize_account: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
2021-12-03 10:01:34.530926 WARNING B2_CALL Failed to send request post https://api.backblazeb2.com/b2api/v1/b2_authorize_account: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

This seems to be related to them getting a new Let’s Encrypt certificate recently:

 michael@brincess      ~/      curl https://api.backblazeb2.com/b2api/v1/b2_authorize_account -v
*   Trying 206.190.215.15:443...
* Connected to api.backblazeb2.com (206.190.215.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=backblazeb2.com
*  start date: Nov 30 02:22:14 2021 GMT
*  expire date: Feb 28 02:22:13 2022 GMT
*  subjectAltName: host "api.backblazeb2.com" matched cert's "*.backblazeb2.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Let’s Encrypt “recently” switched to no longer cross-signing their certificates with the now-expired DST Root CA X3, so that might be related too.

MA-NET · December 8, 2021, 5:00am

I have also run into this issue. Quite annoying since I just switched to Backblaze for my backups

klafbang · December 20, 2021, 10:11pm

Any update on this?

It seems the certificates are embedded in the verticalbackup executable and extracted on each run (ignoring the host CA roots), so I cannot see a proper workaround I can put in place myself, nor can I see an option to temporarily ignore certificate checks to work around the issue while it gets fixed.

This is a pretty serious deficit preventing any backup/restore/backup management for over two weeks now.

gchen · December 26, 2021, 2:00am

Vertical Backup uses requests to make https connections. You can change the default CA certs by setting REQUESTS_CA_BUNDLE:

export REQUESTS_CA_BUNDLE=\path\to\cacert.pem

I would suggest downloading the latest cacert.pem file from https://curl.se/docs/caextract.html.

klafbang · December 27, 2021, 12:45pm

Thanks, seems to be working!

ian · January 16, 2022, 12:56am

This worked for me as well.

ian · January 16, 2022, 8:20pm

The export command doesn’t seem to be a permanent fix though. When I try to run a backup again on a new SSH session to my ESXi host it fails and I need to run the export command again to fix it. @ghcen is there a way to permanently fix this?

gchen · January 30, 2022, 4:00am

A new version 1.4.6 has been updated with the latest root certificates. You can download it by running:

wget http://verticalbackup.com/esxi/vertical
chmod u+x vertical
sha256sum vertical # e6d55b2999f6994cb366870618cf66914683f908b2f175c991ef38f0a54e88a1

ian · January 30, 2022, 4:44pm

Can confirm this corrects the b2 cert issue. Thank you!