[RESOLVED] Implementing client-side certificate authentication

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
cefinformatique
Messages: 31
Registration: May 26, 2023 - 2:25 p.m.

July 31, 2023 - 2:52 PM

EDIT: I should clarify that I'm using the Discovery version. Is this feature only available in the Enterprise version?

Hello,

I want to set up certificate authentication to secure WAPT before opening it up to the WAN.

I followed this documentation: https://www.wapt.fr/fr/doc-2.4/wapt-sec ... se-feature

And this one, because I'm also using an internal certificate authority for the WAPT server certificate: https://www.wapt.fr/fr/doc-2.4/wapt-sec ... ganization

On the agent side, it seems to work; however, I get a 401 error if I look in the console preferences (see attached screenshot): From the console, I go to "Tools -> Preferences" and there I see the line "Main repository URL" which displays "Repository access error: 401 Client Error".

From there, I don't know what to do to resolve this problem.
Attachments
wapt-console.png
wapt-console.png (38.85 KB) Viewed 6966 times
High
User avatar
blemoigne
Messages: 178
Registration: July 17, 2020 - 11:29

August 11, 2023 - 2:47 PM

Hello,
Is this CA installed in the machine certificate store?
If so, you can enter the number 1 instead of the path.
https://www.wapt.fr/fr/doc/wapt-securit ... ertificate

Bertrand
High
cefinformatique
Messages: 31
Registration: May 26, 2023 - 2:25 p.m.

August 29, 2023 - 2:50 PM

Good morning,

Yes, the CA is present in the store of each machine registered in WAPT, and I have already set "verify_cert = 1" in wapt-get.ini

I took the opportunity to look in the nginx error logs and I found this:

Code: Select all

2023/08/29 14:43:45 [error] 8404#8404: *7 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.1, server: _, request: "POST /get_websocket_auth_token HTTP/1.1", upstream: "http://127.0.0.1:8080/get_websocket_auth_token", host: "wapt.xyz.info"
2023/08/29 14:43:45 [error] 8404#8404: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.253, server: _, request: "OPTIONS / HTTP/1.0", upstream: "http://127.0.0.1:8080/"
2023/08/29 14:43:46 [error] 8404#8404: *11 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.253, server: _, request: "OPTIONS / HTTP/1.0", upstream: "http://127.0.0.1:8080/"
2023/08/29 14:43:47 [error] 8404#8404: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.1, server: _, request: "POST /get_websocket_auth_token HTTP/1.1", upstream: "http://127.0.0.1:8080/get_websocket_auth_token", host: "wapt.xyz.info"
2023/08/29 14:43:47 [error] 8404#8404: *15 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.253, server: _, request: "OPTIONS / HTTP/1.0", upstream: "http://127.0.0.1:8080/"
2023/08/29 14:43:48 [error] 8404#8404: *17 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.253, server: _, request: "OPTIONS / HTTP/1.0", upstream: "http://127.0.0.1:8080/"
2023/08/29 14:43:49 [error] 8404#8404: *19 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.1, server: _, request: "POST /get_websocket_auth_token HTTP/1.1", upstream: "http://127.0.0.1:8080/get_websocket_auth_token", host: "wapt.xyz.info"
2023/08/29 14:43:49 [error] 8404#8404: *21 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.253, server: _, request: "OPTIONS / HTTP/1.0", upstream: "http://127.0.0.1:8080/"
High
User avatar
blemoigne
Messages: 178
Registration: July 17, 2020 - 11:29

August 29, 2023 - 5:25 PM

Hello,
In the console preferences, under the Advanced tab, you need to fill in the client SSL certificate path and client SSL key path fields. Start with the second field by browsing to the .pem file located in C:\Program Files (x86)\wapt\private\.
For the first field, replace .pem with .crt.

Bertrand
High
cefinformatique
Messages: 31
Registration: May 26, 2023 - 2:25 p.m.

August 30, 2023 - 09:54

I think the problem stems from the fact that the console certificate was generated before the change to the internal CA.

I'm trying to generate a new certificate, but I get the following window where the fields for entering the key and the CA certificate are greyed out. Why?
waptcert.png
waptcert.png (19.99 KB) Viewed 6881 times
High
cefinformatique
Messages: 31
Registration: May 26, 2023 - 2:25 p.m.

September 1, 2023 - 11:01

So I switched to the trial period for the enterprise license, and the fields for specifying the CA are no longer grayed out.

I then regenerated a certificate from my CA and regenerated a WAPT agent, which I reinstalled on the machine where I use the console, but nothing changed.

I'm still getting the 401Authorization Required error.
Attachments
wapt-console.png
wapt-console.png (38.85 KB) Viewed 6861 times
High
User avatar
dcardon
WAPT Expert
Messages: 1932
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

September 4, 2023 - 3:53 PM

Hi Marc,

regarding the Discovery/Enterprise version, yes, it's a WAPT Enterprise feature as mentioned in the documentation.
Regarding the configuration, you need to add the certificate in the second tab, "Advanced," of the "Local WAPT Configuration" window:
* Client SSL certificate path
* Client SSL key path.
Once the WAPT agent is registered, the easiest way is to retrieve the certificate and key generated during registration, located in c:\program files (x86)\wapt\ssl\, copy them somewhere in your Windows user profile, and enter them in the console.

Client certificate authentication will be greatly simplified in the upcoming WAPT 2.4.2 version (Enterprise edition).

Best regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Locked

Return to "WAPT Server"


  • To go further with WAPT