[SOLVED] HTTPS certificate problem

[Stenon]

Good morning,
When I configure the server with an external certificate in nginx and reload it (reload nginx), the web page correctly appears as HTTPS
So I was happy.
Now I'm getting an error when I try to deploy using waptdeploy.exe and the hash and the waptagent... there's an error downloading this waptagent

Code: Select all

C:\Users\wapttestuser\Downloads>waptdeploy.exe --hash=02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a --minversion=2.2.3.12463 --wait=15 --waptsetupurl=https://waptserver/wapt/waptagent.exe
{"hash":"02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a","minversion":"2.2.3.12463","wait":"15","waptsetupurl":"https://waptserver/wapt/waptagent.exe"}
WAPT version:
WAPT required version: 2.2.3.12463
Wapt agent path: C:\Users\samuel.adm\AppData\Local\Temp\waptagent.exe
Wget new waptagent from https://waptserver/wapt/waptagent.exe
Trying to reach https://waptserver/wapt/waptagent.exe...
Expecting hash sha256: 02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a
Using proxy :
Error trying to get https://waptserver/wapt/waptagent.exe : Error downloading https://waptserver/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <waptserver>: Result 80090326 [SEC_E_ILLEGAL_MESSAGE], System Error 87 '']... sleeping
Delete sheduled task "fullwaptupgrade"
An unhandled exception occurred at $00403958:
Exception: Error downloading https://waptserver/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <waptserver>: Result 80090326 [SEC_E_ILLEGAL_MESSAGE], System Error 87 '']
  $00403958
  $00404D73

When I re-enter the self-signed certificate from the installation in nginx... it works again, but the HTTPS is non-compliant

PS: I tried recreating my waptagent package with a new hash... but that's not the problem... I know it's my configuration
and finally https://waptserver/wapt/waptagent.exe is properly accessible
Thanks in advance !
Samuel

[sfonteneau]

Is the problem only with waptdeploy?

[Stenon]

Apparently so...
I had set up the GPO and tested it on a machine, and it worked... but when I installed the certificate (valid for our site), the GPO stopped running, so I tried running the command manually, encountering the errors mentioned in the previous post. By reverting to the old (self-signed) certificate, the command runs correctly, and the agent is deployed on the test machine.

Is there a step I missed when installing/copying my certificate onto the Debian server?

Some details: /etc/nginx/site-enabled/wapt.conf

Code: Select all

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 _;
    return 301                  https://$host$request_uri;
}

server {
    listen                      443 ssl;
    listen                      [::]:443 ssl;
    server_name                 _;
    #server_name                 wapt.site.fr;
    # BACKUP certificat installation WAPT => autosigné
    #ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
    #ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";

    # Certificat site.fr => pour notre site ici
    ssl_certificate             "/opt/wapt/waptserver/ssl/cert+CA-site.fr.pem";
    ssl_certificate_key         "/opt/wapt/waptserver/ssl/wildcard-site.fr.pem";
    ssl_protocols               TLSv1.2;
    ssl_dhparam                 "/etc/ssl/certs/dhparam.pem";

    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           none;
    ssl_session_tickets         off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    #ssl_client_certificate "/opt/wapt/conf/ca-wapt.site.fr.crt";
    #ssl_crl "None";
    #ssl_verify_client optional;
    gzip_min_length     1000;
    gzip_buffers        4 8k;
    gzip_http_version   1.0;
    gzip_disable        "msie6";
    gzip_types          text/plain text/css application/json;
    gzip_vary           on;

    index index.html;
    client_max_body_size 12288m;
    client_body_timeout 1800;

    # sub instances
    include /opt/wapt/conf/wapt.d/*.conf;

    location /static {
            alias "/opt/wapt/waptserver/static";
    }
    location /ssl {
            alias "/var/www/ssl";
    }
    # not protected URL
    location ~ ^/(wapt/waptsetup.*.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json|licences.json)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        root "/var/www";
    }
    # not protected URL
    location /wads {
        alias "/var/www/wads";
    }
    # SSL protected URL
    location ~ ^/(wapt/.*|waptwua/.*|wapt-diff-repos/.*)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        # be sure these headers are not forwarded
        proxy_set_header X-Ssl-Client-Dn  "";
        proxy_set_header X-Ssl-Authenticated  "";
        root "/var/www";
    }
    # we don't want to expose our list of computers in case someone scan this folder.
    location /wapt-host/Packages {
        return 403;
    }
    location ~ ^/(wapt-host/.*)$ {
        log_not_found off;
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        proxy_set_header X-Ssl-Client-Dn  "";
        proxy_set_header X-Ssl-Authenticated  "";
        root "/var/www";
    }
    location ~ ^/.*_kerberos$ {
        return 403;
    }
    location / {
        add_header X-Remote-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8080;
    }
    location /socket.io {
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass http://127.0.0.1:8080/socket.io;
    }
}
 

THANK YOU SO MUCH!

[Stenon]

We're making a little progress...
If I change my waptdeploy call like this:

Code: Select all

waptdeploy.exe --hash=02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a --minversion=2.2.3.12465 --wait=15 --waptsetupurl=https://wapt.monsite.fr/wapt/waptagent.exe

I'm getting the previous error (TLS failed)
if I change it to his IP address that works:

Code: Select all

waptdeploy.exe --hash=02dfba835e17c928933a9bf929200cd50475fc8658322e1f4484b563bfe0738a --minversion=2.2.3.12465 --wait=15 --waptsetupurl=https://[b]192.168.x.x[/b]/wapt/waptagent.exe

But the DNS settings on the client machine are OK... ping -a 192.168.xx and ping wapt.monsite.fr

Any ideas?

Thank you so much

[dcardon]

Hello Stenon,

the most common problem is that the chain is incomplete in the file /opt/wapt/waptserver/ssl/cert+CA-site.fr.pem. Please double-check that you have the intermediate certificates.

Regards,

Denis

[Stenon]

Hello,

yes, it seems the FQDN is missing from my certificate because I'm using a wildcard certificate. I read the post from January 27, 2022, and it's the same error.
Since I have to use my wildcard, I'll deploy the agent via the IP address in my GPO... and it works correctly.
Thank you for your help
Best regards,
Samuel

[dcardon]

Hi Samuel,

thanks for your feedback. I've opened an internal ticket for this issue. I'm marking the topic as resolved in the meantime.

Best regards,

Denis