Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

[SOLVED] HTTPS certificate problem

https://forum.tranquil.it/viewtopic.php?t=3252

Page 1 of 1

[SOLVED] HTTPS certificate problem

Published: October 27, 2022 - 4:46 PM
by Stenon
Good morning,
When I configure the server with an external certificate in nginx and reload it (reload nginx), the web page correctly appears as HTTPS
So I was happy.
Now I'm getting an error when I try to deploy using waptdeploy.exe and the hash and the waptagent... there's an error downloading this waptagent

Code: Select all

C:\Users\wapttestuser\Downloads>waptdeploy.exe --hash=02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a --minversion=2.2.3.12463 --wait=15 --waptsetupurl=https://waptserver/wapt/waptagent.exe
{"hash":"02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a","minversion":"2.2.3.12463","wait":"15","waptsetupurl":"https://waptserver/wapt/waptagent.exe"}
WAPT version:
WAPT required version: 2.2.3.12463
Wapt agent path: C:\Users\samuel.adm\AppData\Local\Temp\waptagent.exe
Wget new waptagent from https://waptserver/wapt/waptagent.exe
Trying to reach https://waptserver/wapt/waptagent.exe...
Expecting hash sha256: 02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a
Using proxy :
Error trying to get https://waptserver/wapt/waptagent.exe : Error downloading https://waptserver/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <waptserver>: Result 80090326 [SEC_E_ILLEGAL_MESSAGE], System Error 87 '']... sleeping
Delete sheduled task "fullwaptupgrade"
An unhandled exception occurred at $00403958:
Exception: Error downloading https://waptserver/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <waptserver>: Result 80090326 [SEC_E_ILLEGAL_MESSAGE], System Error 87 '']
  $00403958
  $00404D73
When I re-enter the self-signed certificate from the installation in nginx... it works again, but the HTTPS is non-compliant

PS: I tried recreating my waptagent package with a new hash... but that's not the problem... I know it's my configuration
and finally https://waptserver/wapt/waptagent.exe is properly accessible
Thanks in advance !
Samuel

Re: Certificate problem for HTTPS

Published: October 31, 2022 - 11:57 AM
by sfonteneau
Is the problem only with waptdeploy?

Re: Certificate problem for HTTPS

Published: November 2, 2022 - 9:50 AM
by Stenon
Apparently so...
I had set up the GPO and tested it on a machine, and it worked... but when I installed the certificate (valid for our site), the GPO stopped running, so I tried running the command manually, encountering the errors mentioned in the previous post. By reverting to the old (self-signed) certificate, the command runs correctly, and the agent is deployed on the test machine.

Is there a step I missed when installing/copying my certificate onto the Debian server?

Some details: /etc/nginx/site-enabled/wapt.conf

Code: Select all

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 _;
    return 301                  https://$host$request_uri;
}

server {
    listen                      443 ssl;
    listen                      [::]:443 ssl;
    server_name                 _;
    #server_name                 wapt.site.fr;
    # BACKUP certificat installation WAPT => autosigné
    #ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
    #ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";

    # Certificat site.fr => pour notre site ici
    ssl_certificate             "/opt/wapt/waptserver/ssl/cert+CA-site.fr.pem";
    ssl_certificate_key         "/opt/wapt/waptserver/ssl/wildcard-site.fr.pem";
    ssl_protocols               TLSv1.2;
    ssl_dhparam                 "/etc/ssl/certs/dhparam.pem";

    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           none;
    ssl_session_tickets         off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    #ssl_client_certificate "/opt/wapt/conf/ca-wapt.site.fr.crt";
    #ssl_crl "None";
    #ssl_verify_client optional;
    gzip_min_length     1000;
    gzip_buffers        4 8k;
    gzip_http_version   1.0;
    gzip_disable        "msie6";
    gzip_types          text/plain text/css application/json;
    gzip_vary           on;

    index index.html;
    client_max_body_size 12288m;
    client_body_timeout 1800;

    # sub instances
    include /opt/wapt/conf/wapt.d/*.conf;

    location /static {
            alias "/opt/wapt/waptserver/static";
    }
    location /ssl {
            alias "/var/www/ssl";
    }
    # not protected URL
    location ~ ^/(wapt/waptsetup.*.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json|licences.json)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        root "/var/www";
    }
    # not protected URL
    location /wads {
        alias "/var/www/wads";
    }
    # SSL protected URL
    location ~ ^/(wapt/.*|waptwua/.*|wapt-diff-repos/.*)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        # be sure these headers are not forwarded
        proxy_set_header X-Ssl-Client-Dn  "";
        proxy_set_header X-Ssl-Authenticated  "";
        root "/var/www";
    }
    # we don't want to expose our list of computers in case someone scan this folder.
    location /wapt-host/Packages {
        return 403;
    }
    location ~ ^/(wapt-host/.*)$ {
        log_not_found off;
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        proxy_set_header X-Ssl-Client-Dn  "";
        proxy_set_header X-Ssl-Authenticated  "";
        root "/var/www";
    }
    location ~ ^/.*_kerberos$ {
        return 403;
    }
    location / {
        add_header X-Remote-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8080;
    }
    location /socket.io {
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass http://127.0.0.1:8080/socket.io;
    }
}
THANK YOU SO MUCH!

Re: Certificate problem for HTTPS

Published: November 3, 2022 - 4:28 PM
by Stenon
We're making a little progress...
If I change my waptdeploy call like this:

Code: Select all

waptdeploy.exe --hash=02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a --minversion=2.2.3.12465 --wait=15 --waptsetupurl=https://wapt.monsite.fr/wapt/waptagent.exe
I have the previous error (TLS failed)
if I change it to his IP address that works:

Code: Select all

waptdeploy.exe --hash=02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a --minversion=2.2.3.12465 --wait=15 --waptsetupurl=https://[b]192.168.x.x[/b]/wapt/waptagent.exe
But the DNS settings on the client machine are OK... ping -a 192.168.xx and ping wapt.monsite.fr

Any ideas?

Thank you so much

Re: Certificate problem for HTTPS

Published: November 8, 2022 - 4:20 PM
by dcardon
Hello Stenon,

the most common problem is that the chain is incomplete in the file /opt/wapt/waptserver/ssl/cert+CA-site.fr.pem. Please double-check that you have the intermediate certificates.

Regards,

Denis

Re: Certificate problem for HTTPS

Published: November 10, 2022 - 09:59
by Stenon
Hello,

yes, it seems the FQDN is missing from my certificate because I'm using a wildcard certificate. I read the post from January 27, 2022, and it's the same error.
Since I have to use my wildcard, I'll deploy the agent via the IP address in my GPO... and it works correctly.
Thank you for your help
Best regards,
Samuel

Re: Certificate problem for HTTPS

Published: November 10, 2022 - 10:11 AM
by dcardon
Hi Samuel,

thanks for your feedback. I've opened an internal ticket for this issue. I'm marking the topic as resolved in the meantime.

Best regards,

Denis
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru