Hello,
Following a merger between 2 companies, my Linux server, which was in the XXX.fr domain, is now in the YYY.org domain.
Since then, I have had various problems, mainly with Windows updates which do not install properly or at all.
When I check the client logs, I keep getting this message
: "Request signature verification failed: SSL signature verification failed for certificate {'organizationName': 'HP', 'commonName': '21CA61F1-9589-EC11-810F-C01803D8F19C'} issued by srvwapt.xxx.fr".
Upon closer inspection, I see that the certificates (in the private folder) on the clients were issued by the server srvwapt.xxx.fr.
The server certificate (in the client's SSL folder) hasn't changed.
My workstations have also changed from xxx.fr to yyy.fr, but I can see them in the console.
In the waptget.ini file on my workstations, I used the server's IP address instead of the FQDN, and it worked perfectly.
Therefore, I didn't reinstall the agents after the migration.
Is there a specific procedure to follow in this case:
- Resetting the database?
- Reinstalling agents on workstations?
- Creating a new certificate?
- Other...?
Thank you
Server migration to a new domain
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
dcardon
- WAPT Expert
- Messages: 1929
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello Jérôme,
WAPT version, server, etc. (see forum rules).
There are several ways to register a workstation on the WAPT server:
* by BIOS UUID (or random UUID)
* by FQDN.
If the agents were installed using UUID registration (the default), they will be able to register again on the server without any problem. They just need to be able to contact the server again and authenticate with their client certificate. The name of the original machine is referenced in the CA for client workstation authentication, but this is only for informational purposes; therefore, there are no issues with renaming or changing the domain.
For the HTTPS certificate, it must be recognized by the workstations. If the certificate was issued by a recognized authority by default (i.e., one present in the Windows certificate store, such as Verisign), there's nothing to do for the certificate to be recognized (as long as `verify_cert=1` tells the WAPT agent to use the Windows certificate store). If the HTTPS certificate isn't recognized, you either need to add it to the certificate store or pin it; see the WAPT documentation. But all of this isn't specific to WAPT; it's just standard HTTPS.
Then, the agent needs to point to the correct server. If you have the old server address in your local WAPT configuration, and you've renamed it on the server side, and SSL is enabled, of course, it's not going to work very well (unless you specified the SAN attribute when generating the new HTTPS certificate).
Regards,
Denis
WAPT version, server, etc. (see forum rules).
There are several ways to register a workstation on the WAPT server:
* by BIOS UUID (or random UUID)
* by FQDN.
If the agents were installed using UUID registration (the default), they will be able to register again on the server without any problem. They just need to be able to contact the server again and authenticate with their client certificate. The name of the original machine is referenced in the CA for client workstation authentication, but this is only for informational purposes; therefore, there are no issues with renaming or changing the domain.
For the HTTPS certificate, it must be recognized by the workstations. If the certificate was issued by a recognized authority by default (i.e., one present in the Windows certificate store, such as Verisign), there's nothing to do for the certificate to be recognized (as long as `verify_cert=1` tells the WAPT agent to use the Windows certificate store). If the HTTPS certificate isn't recognized, you either need to add it to the certificate store or pin it; see the WAPT documentation. But all of this isn't specific to WAPT; it's just standard HTTPS.
Then, the agent needs to point to the correct server. If you have the old server address in your local WAPT configuration, and you've renamed it on the server side, and SSL is enabled, of course, it's not going to work very well (unless you specified the SAN attribute when generating the new HTTPS certificate).
Regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
WAPT Server version: 2.3.0.13516 Debian 11 Bulleyes
WAPT Agent version: 2.3.0.13516
Hello,
To clarify, I had installed WAPT on PCs in domain 1 and it worked perfectly.
We merged with another company and the PCs from domain 1 migrated to domain 2.
In this domain 2, I have both "old PCs" (domain 1) and new ones.
I redeployed the new wapt-get.ini file on all my old machines with the correct server and what I believe to be the correct settings.
I also deployed the new certificate to c:\....\wapt\ssl.
On the new PCs, I installed the agent from the new server.
The agents are working correctly, but I'm experiencing some strange issues I didn't have before:
From the console, I can't run the update checks (or anything else); nothing happens
on the old PCs. On the new PCs, if I type `wapt-get waptwua-install` with an admin account in the command prompt, I get an error. If I run it in admin mode, it works... (waptget_waptwuainstall.png). Is this normal?
Also, on a new PC, I'd like to install Nginx, so I downloaded the package, but when I try to deploy it, I get an error message. (error_deploy.png)
I checked the logs on the PC and there doesn't seem to be a problem.
I included my wapt-get.ini file and the log in the zip archive.
Thanks.
WAPT Agent version: 2.3.0.13516
Hello,
To clarify, I had installed WAPT on PCs in domain 1 and it worked perfectly.
We merged with another company and the PCs from domain 1 migrated to domain 2.
In this domain 2, I have both "old PCs" (domain 1) and new ones.
I redeployed the new wapt-get.ini file on all my old machines with the correct server and what I believe to be the correct settings.
I also deployed the new certificate to c:\....\wapt\ssl.
On the new PCs, I installed the agent from the new server.
The agents are working correctly, but I'm experiencing some strange issues I didn't have before:
From the console, I can't run the update checks (or anything else); nothing happens
on the old PCs. On the new PCs, if I type `wapt-get waptwua-install` with an admin account in the command prompt, I get an error. If I run it in admin mode, it works... (waptget_waptwuainstall.png). Is this normal?
Also, on a new PC, I'd like to install Nginx, so I downloaded the package, but when I try to deploy it, I get an error message. (error_deploy.png)
I checked the logs on the PC and there doesn't seem to be a problem.
I included my wapt-get.ini file and the log in the zip archive.
Thanks.
- Attachments
-
- waptservice.zip
- (1.99 KB) Downloaded 341 times
-
- error_deploy.png (17.13 KB) Viewed 5661 times
-
- waptget_waptwuainstall.png (71.61 KB) Viewed 5661 times
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Hello,
you have all the symptoms of a certificate error.
Does the certificate you're signing with appear correctly in the machine's certificate tab (on the right)?
Simon
you have all the symptoms of a certificate error.
Does the certificate you're signing with appear correctly in the machine's certificate tab (on the right)?
Simon
