Veeam Fail

For the first time an LLM โ€” Claude Opus 4.8 on High โ€” solved a technical problem I wouldโ€™ve never been able to solve. At least not in a reasonable amount of time. And Iโ€™m very, very good.

The problem manifested as I was installing Veeam Community Edition on an air-gapped Hyper-V server. The installer kept complaining it could not continue because it was unable find/validate certificates. So I researched and (get this) from the vendorโ€™s own site I downloaded the missing certificates they claimed were needed. Installed them in the correct place in Windows Server. The Veeam install stilled failed after that.

As happens all too often, their own support page was incorrect and the certificate actually needed was not the one they had you download. Again, vendorโ€™s own site, vendorโ€™s own support pages. Totally incorrect.

Here is Claudeโ€™s summary of what was wrong and the fix:

โ€œThe certificate was in the box the whole time

Air-gapped a Windows box, then tried to install Veeam Community Edition. It refused with an Authenticode error: CERT_E_CHAINING, โ€œa certificate chain could not be built to a trusted root authority.โ€

The cause is what air-gapping actually does. A connected Windows box doesnโ€™t ship knowing every root it trusts; it fetches missing intermediates on demand and refreshes its trusted roots from Microsoft in the background. Cut the wire and both stop silently. The trust store just freezes at install-day state and starts declining signatures without telling you why.

I chased the roots first, including the ones Veeam lists on their own site. No luck: Veeam moved their code signing to an Entrust EV cert and never updated the page, so the root their installer needs isnโ€™t on the list of roots they tell you to install.

The fix was to stop trusting the documentation and read the binary. An Authenticode signature embeds its own certificate chain, roots included โ€” two here, one for the signature (Entrust) and one for the timestamp (DigiCert), each anchored to a root the air-gapped box had never seen. Pull them out of the file, drop them in the machineโ€™s root store, done. No internet, no vendor KB.

The machine had everything it needed to verify that installer. It just wanted to phone a friend first, and Iโ€™d taken the phone away.โ€

More fake bullshit-ass security causing endless problems that makes you 0% more secure. Just clownish dipshittery. Veeam used to be good.

Leave a Reply

Your email address will not be published. Required fields are marked *