[RESOLVED] Domain name change

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
flipflip
Messages: 56
Registration: May 31, 2022 - 09:05

March 27, 2024 - 11:27

Hello everyone,

This weekend I changed my DNS and SAMBA domain name (still in nt4 mode). Since then, the agents are visible as connected in the console, but when I try to force an update on one of them, I get the following message:

Code: Select all

C:\Program Files (x86)\wapt>wapt-get update
2024-03-27 11:22:21,305 ERROR Certificate check failed for https://svwapt.nouveaudom/wapt/Packages and verify_cert C:\Program Files (x86)\wapt\ssl\server\svwapt.anciendom.crt
2024-03-27 11:22:21,305 CRITICAL Error merging Packages from wapt into db: None: None
2024-03-27 11:22:21,336 CRITICAL Error merging Packages from wapt-host into db:None : None
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Update package list from https://svwapt.nouveaudom/wapt, https://svwapt.nouveaudom/wapt-host
Total packages : 120
Added packages :

Removed packages :

Discarded packages count : 0
Pending operations :
  install:
  upgrade:
  additional:
  remove:
  immediate_installs:
Repositories URL :
  wapt
  wapt-host

C:\Program Files (x86)\wapt>
The message is clear, there is a problem with the authentication and the certificate which refers to the old domain.
I found a page on the wiki that explains how to regenerate certificates in case of theft or loss, but I have the impression that this concerns the user certificate and not the one used by the server to communicate with the agents.

Is there a specific procedure?

Thanks in advance.
Philippe.
High
User avatar
dcardon
WAPT Expert
Messages: 1930
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

March 28, 2024 - 6:38 PM

Hi Philippe,

are you using a self-signed certificate or a public certificate (Let's Encrypt, etc.)?

It seems you have `verify_cert=1` in your `wapt-get.ini` file, and the server name in the certificate doesn't match the one in the configuration. You can temporarily resolve this by setting `verify_cert=0` while you update the certificate settings.

Are you using certificate pinning? That is, do you have `verify_cert=c:\program files (x86)\wapt\ssl\moncertif.crt`?

On a Linux server, HTTPS certificates are stored in `/opt/wapt/waptserver/ssl` if you want to update them to reflect your new server name. However, if you're using pinning, this won't resolve the issue.

If this was just a test and you haven't yet deployed to production, you can wait for the next release. In the postconf file, we've integrated the ability to create a sub-certificate with the new server name in the subjectAltName, which should resolve the issue in this case.

Regards,

Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
flipflip
Messages: 56
Registration: May 31, 2022 - 09:05

March 29, 2024 - 09:29

Good morning,

Thank you for your reply.
Are you using a self-signed certificate or a public certificate (Let's Encrypt, etc.)?
It's self-signed
It appears you have `verify_cert=1` in your `wapt-get.ini` file, and the server name in the certificate doesn't match the one in the configuration. You can temporarily resolve this by setting `verify_cert=0` while you update the certificate settings.
Oddly, in `verify_cert` I have the local path on the agent to the certificate. To test, I changed it to 0 and I regained control of the test agent in the console.
Are you using certificate pinning? That is, do you have a verify_cert=c:\program files (x86)\wapt\ssl\moncertif.crt?
I assumed so, based on the answer to your previous question ;)
On the Linux server, the HTTPS certificates are stored in /opt/wapt/waptserver/ssl if you want to update them to reflect your new server name. However, if there's pinning, that won't resolve the issue.
I don't have a large network, so I can manually deploy the new certificate to the agents. Does the certificate need a specific configuration for WAPT, or is a standard certificate sufficient?
If this was just a test and you haven't yet deployed to production, you can wait for the next release. In the postconf, we've integrated the ability to create a sub-certificate with the new server name in the subjectAltName, which should resolve the issue in this case.
As they say: "Too late!" ;)
High
User avatar
dcardon
WAPT Expert
Messages: 1930
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

March 29, 2024 - 10:39

Hi Philippe,

if you have Active Directory, you can push back the updated agent with the modified settings.

Regarding the self-signed HTTPS certificate, if you delete/move the certificates to /opt/wapt/waptserver/ssl, new certificates will be generated using the new server name. You need to carefully check the output of `hostname -f` to get the FQDN, which must be included in the `wapt-get.ini` file on the agents. Then, either pin the correct certificate (`wapt-get enable-check-certificate`) or set `verify_cert=0`.

Regards,

Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Locked

Return to "WAPT Server"


  • To go further with WAPT