Troubleshooting TLS Error: "x509: certificate signed by unknown authority"
Error:
Backup jobs fail to connect to the storage vault, and the error logs show a message similar to the following:
Can't access Storage Vault: Retried 3 times over 0:04: Post "https://csw.eazybackup.ca/api/v1/bucket/checkauth": tls: failed to verify certificate: x509: certificate signed by unknown authority
Cause
This error is commonly caused by a firewall or Unified Threat Management (UTM) appliance at the customer's site that is performing SSL/TLS Inspection.
Appliances like the FortiGate 40F/70F intercept encrypted traffic to scan it for threats. When doing so, the firewall presents its own certificate to the backup software instead of the eazyBackup's certificate. The backup software does not trust the firewall's certificate and terminates the connection, leading to the "unknown authority" error.
This frequently happens when the firewall's web filter (e.g., FortiGuard) categorizes the storage vault domain (csw.obcbackup.com
) as "Unrated" and the default security policy is set to block such traffic.
Resolution on FortiGate Firewalls
You can resolve this by either creating a specific exception for the domain or by changing the default behavior for unrated sites.
Option 1: Set "Unrated" Category to Monitor (Quick Fix)
This method adjusts the web filter to log and allow all traffic to websites not yet categorized by FortiGuard.
Log into the FortiGate appliance's management interface.
Navigate to Security Profiles > Web Filter.
Select the web filter profile that is currently active for your network traffic.
Under the FortiGuard Category Based Filter, find the Unrated category.
Click on the action next to "Unrated" and change it from
Block
toMonitor
.

Option 2: Whitelist the Storage Vault Domain (Recommended)
This is a more secure and targeted approach, as it only creates an exception for the required backup service domain.
Navigate to Security Profiles > Web Filter and select the active profile.
Find the Static URL Filter section and create a new entry.
URL:
csw.obcbackup.com
orcsw.eazybackup.ca
Type:
Wildcard
Action:
Allow
Save the new entry and the profile changes.
After applying either of these solutions, the backup agent should be able to connect to the storage vault successfully.
Last updated
Was this helpful?