He is deleting the backups. [image: 1780082851713-0f6fe215-cc94-4bae-9c8e-c2fd88ccc7a1-image.jpeg]

@mdm Similar to the name-description parameter, the CLI ignores this parameter. The expected way to use would be to set the field value after the SR has been created. I'll make a work item to change the CLI and warn of ignored parameters so confusion like this doesn't happen

@pdonias confirmed... [image: 1780065202934-screenshot-2026-05-29-103255.png]

@semarie I'll try to investigate to help you. Is it possible to run: stat /etc/xensource/xapi-pool-tls.pem openssl x509 -in /etc/xensource/xapi-pool-tls.pem -noout -text stat /etc/xensource/xapi-ssl.pem openssl x509 -in /etc/xensource/xapi-ssl.pem -noout -text (This file must exist; if not, I'd like the output of cat /etc/stunnel/xapi.conf.) And I'd like the same output for /etc/xensource/xapi-ssl.pem. If the certificate for /etc/xensource/xapi-pool.tls.pem has expired or it's empty, you can run: xe host-refresh-server-certificate host=$(hostname) If the certificate for /etc/xensource/xapi-ssl.pem has expired or it's empty, you can run: xe host-emergency-reset-server-certificate After running one of the two commands above, I recommend to do: xe-toolstack-restart (This should indeed restart the stunnel@xapi.service) I hope this helps.

Hi @halvor, FYI, ACL V2 / RBAC is now available in the REST API. You can create a privilege that only give you read privilege on your host. You can see the RBAC doc. A dedicated thread is available on the forum thread, please feel free to share your feedback. Thank you.