Veeam Backup Jobs Failing with Invalid Remote Certificate After vCenter Appliance Reinstall or Certificate Renewal
After reinstalling or replacing a vCenter Server Appliance (vCSA), or after renewing ESXi/vCenter SSL certificates, Veeam backup jobs fail with a certificate validation error because Veeam's stored certificate fingerprint no longer matches the server's current certificate. The resolution requires navigating to Backup Infrastructure in the Veeam console, opening the affected server's Properties wizard, and accepting the newly presented certificate. Once accepted, backup jobs resume normally without any credential or job reconfiguration.
Indicators
- Veeam backup job fails with error: 'The remote certificate is invalid according to the validation procedure'
- Backup jobs that previously completed successfully now fail following a vCenter/ESXi reinstall or certificate renewal
- Certificate fingerprint mismatch detected between Veeam's stored value and the server's current certificate
- All backup jobs targeting the affected vCenter or ESXi host fail consistently while other jobs succeed
Likely causes
- vCenter Server Appliance (vCSA) was reinstalled, generating a new self-signed SSL certificate with a different fingerprint
- VMware ESXi or vCenter SSL certificate was manually renewed or replaced by an administrator
- Veeam's internally stored certificate fingerprint is stale and no longer matches the server's live certificate
Diagnostic steps
-
Review the failed Veeam backup job log and confirm the error message contains 'The remote certificate is invalid according to the validation procedure' to establish certificate mismatch as the root cause
-
Open the Veeam Backup & Replication console and navigate to 'Backup Infrastructure' in the left-hand panel
-
Locate the affected VMware ESXi or vCenter server in the infrastructure list — it will typically be listed under 'VMware vSphere'
-
Right-click the affected server and select 'Properties' to open the server configuration wizard
-
Click through the wizard pages to the end and click 'Finish' — if the certificate has changed, Veeam will display a certificate mismatch prompt showing the new certificate details
-
Review the new certificate details presented in the prompt (thumbprint, issuer, expiry) to confirm this is the expected server certificate, then click 'Continue' or 'Accept' to trust and import the new certificate
-
Re-run the previously failing backup job manually to confirm the certificate error is resolved and the job completes successfully
Resolution path
- Confirm the backup job error log contains the certificate validation failure message
- Open the Veeam Backup & Replication console
- Navigate to Backup Infrastructure in the left-hand panel
- Right-click the affected VMware ESXi or vCenter server and select 'Properties'
- Proceed through all wizard steps and click 'Finish'
- Accept the new certificate when the mismatch prompt is displayed after verifying the certificate details
- Retry the failing backup job manually to verify successful completion
Prevention
- Before reinstalling or replacing a vCenter appliance, record the existing certificate fingerprint and schedule a Veeam certificate update immediately after the rebuild
- After any planned vCenter or ESXi certificate renewal, proactively update the certificate in Veeam Backup Infrastructure before the next scheduled backup run to avoid overnight job failures
- Use CA-signed certificates for vCenter and ESXi hosts to reduce unplanned or untracked certificate changes
- Include a Veeam certificate acceptance step in all vCenter reinstall and certificate renewal runbooks and change records
- Monitor Veeam backup job alerts and configure email notifications to detect certificate errors promptly rather than discovering failures the following morning
Tools
- Veeam Backup & Replication Console
- Veeam Backup Infrastructure Manager