[SOLVED] SELF-SERVICE: An operation have Failed

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 25, 2024 - 3:08 PM

Good morning,
We migrated from wapt 2.2 to 2.5.5
The agents on Windows have also migrated.
We have switched to HTTPS with server certificate verification (agent configuration below)

if a user or admin tries to install a package using self-service
We have a window with this error message

Code: Select all

Avertissement
"An operation has failed do you want to force the installation/removed
Operation:Installation de Toto-naps2 (tâche #60)

my agent's conference

Code: Select all

[global]
use_hostpackages=1
repo_url=https://srvwapt.local.lan/wapt
wapt_server=https://srvwapt.local.lan
verify_cert=C:\Program Files (x86)\wapt\ssl\server\srvwapt.local.lan.crt
use_repo_rules=1
use_ad_groups=1
allow_remote_reboot=1
allow_remote_shutdown=1
waptservice_admin_filter=True
limit_bandwidth=500
use_kerberos=1
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
include_dmi_inventory=1
include_wmi_inventory=1
maturities=PROD,PREPROD,DEV
High
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 25, 2024 - 3:38 PM

in the logs

Code: Select all

C:\Program Files (x86)\wapt\log\waptservice.log

Code: Select all

Erreur lors de l'installation de ['toto-naps2']: erreurs dans les paquets [[('https://srvwapt.toto.lan/wapt/toto-naps2_7.5.1-1_x64_windows_PROD_747ca02d392427964812ed7c806d0817.wapt', 'Could not find a suitable TLS CA certificate bundle, invalid path: C:\\Program Files (x86)\\wapt\\ssl\\server\\srvwapt.local.lan.crt'), None], [PackageRequest(package='toto-naps2',architectures=['x64'],locales=['fr'],maturities=['PROD', 'PREPROD', 'DEV'],tags=['windows-10', 'win-10', 'w-10', 'windows10', 'win10', 'w10', 'windows', 'win', 'w'],min_os_version=Version('10.0.22631'),max_os_version=Version('10.0.22631')), PackageEntry('toto-naps2','7.5.1-1' architecture='x64',maturity='PROD',target_os='windows'), 'Traceback (most recent call last):\n  File "C:\\Program Files (x86)\\wapt\\common.py", line 5347, in install\n    raise EWaptDownloadError(\'Package file %s not downloaded properly.\' % p.filename)\nwaptpackage.EWaptDownloadError: Package file toto-naps2_7.5.1-1_x64_windows_PROD_747ca02d392427964812ed7c806d0817.wapt not downloaded properly.\n']]
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

September 25, 2024 - 3:58 PM

Good morning

The HTTPS connection check is not working

The following file has apparently been deleted?

Code: Select all

 C:\Program Files (x86)\wapt\ssl\server\srvwapt.local.lan.crt
High
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 25, 2024 - 4:42 PM

No, the certificate does exist on the PCs at "C:\Program Files (x86)\wapt\ssl\server'
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

September 25, 2024 - 5:23 PM

Strange, you can type this command on the machine?

Code: Select all

type  "C:\Program Files (x86)\wapt\\ssl\server\srvwapt.local.lan.crt"
To be certain

The Wapt service clearly indicates:

Code: Select all

Could not find a suitable TLS CA certificate bundle, invalid path: C:\\Program Files (x86)\\wapt\\ssl\\server\\srvwapt.local.lan.crt'
High
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 25, 2024 - 5:40 PM

if I try this
type "C:\Program Files (x86)\wapt\ssl\server\srvwapt.local.lan.crt"
I can see the file data displayed correctly.



in the logs
C:\Program Files (x86)\wapt\log\waptservice.log
2024-09-25 17:37:40,928 [wapttasks SocketIOClient 8764] INFO Creating socketio client: https://srvwapt.local.lan:443 client auth cert: ('C:\\Program Files (x86)\wapt\private\4c4c4544-0058-3810-8032-b2c04f523434.crt', 'C:\Program Files (x86)\wapt\private\4c4c4544-0058-3810-8032-b2c04f523434.pem') proxies: None verify_cert: C:\Program Files (x86)\wapt\ssl\server\srvwapt.local.lan.crt
2024-09-25 17:37:40,928 [wapttasks SocketIOClient 8764] INFO Connecting Socketio to https://srvwapt.local.lan:443
2024-09-25 17:37:40,943 [waptws SocketIOClient 8764] WARNING Exception ConnectionError('Connection error'), waiting 60s before retrying
High
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 25, 2024 - 5:41 PM

I just noticed a problem if I connect to the server via the web interface https://srvwapt.local.lan
I forgot the P in wapt...

I have an error on the self-signed certificate of the WAPT web server; it has two common names
Common name: srvwapt.local.lan
Common name: srvwat.local.lan

The one copied onto the PCs has the same error
DNS name=srvwapt.local.lan
IP address=xxx73
DNS name=srvwat.local.lan


This is the self-signed nginx certificate from when we created the WAPT server
I found the information about the nginx configuration here: /etc/nginx/sites-enabled/wapt.conf
The certificate and key are located here: /opt/wapt/waptserver/ssl/

I don't understand why I have a different certificate in the WAPT server configuration file
found here: /opt/wapt/conf/waptserver.ini

Code: Select all

clients_signing_key = /opt/wapt/conf/ca-s09wapt-srv.local.lan.fr.pem
clients_signing_certificate = /opt/wapt/conf/ca-s09wapt-srv.local.lan.crt
clients_signing_crl = /var/www/ssl/ca-s09wapt-srv.local.lan.crl
clients_signing_crl_url = http://s09wapt-srv.local.lan/wapt/ssl/ca-s09wapt-srv.local.lan.fr.crl
Last edited by skoizer on Sep 26, 2024 - 09:46, edited 2 times.
High
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 25, 2024 - 6:35 PM

Short
I signed the certificates with my supervisor and uploaded them to nginx
Restart nginx and it works, I can see the correct certificate on the HTTPS

I retrieved cert.pem and put it here "C:\Program Files (x86)\wapt\ssl\server\srvwapt.local.lan.crt"
same with verify_cert=1

I keep getting errors on the wapt client "C:\Program Files (x86)\wapt\log"
2024-09-25 18:32:49,201 [waptws SocketIOClient 23868] WARNING Exception ConnectionError('Connection error'), waiting 60s before retrying
2024-09-25 18:33:18,261 [waptcore WaptTaskManager 10532] WARNING Unable to update server status : 400 Client Error: Bad Request for url: https://srvwapt.local.lan/update_host
2024-09-25 18:33:18,261 [wapttasks WaptTaskManager 10532] WARNING Host on the server is not known or not known under this FQDN name (known as None). Trying to register the computer...
2024-09-25 18:33:19,708 [wapttasks WaptTaskManager 10532] WARNING Unable to update server status: GSSAPIProxy requires the Python gssapi library: No module named 'gssapi'
2024-09-25 18:33:19,709 [wapttasks WaptTaskManager 10532] INFO Unable to update server status: No response
2024-09-25 18:33:49,217 [wapttasks SocketIOClient 23868] INFO Socketio connection params have changed. Socketio needs reconnect
2024-09-25 18:33:49,217 [wapttasks SocketIOClient 23868] INFO Creating socketio client: https://srvwapt.local.lan:443 client auth cert: ('C:\\Program Files (x86)\wapt\private\4c4c4544-0058-3810-8032-b2c04f523434.crt', 'C:\Program Files (x86)\wapt\private\4c4c4544-0058-3810-8032-b2c04f523434.pem') proxies: None verify_cert: C:\Program Files (x86)\wapt\ssl\server\srvwapt.local.lan.crt
2024-09-25 18:33:49,218 [wapttasks SocketIOClient 23868] INFO Connecting Socketio to https://srvwapt.local.lan:443
2024-09-25 18:33:49,235 [waptws SocketIOClient 23868] WARNING Exception ConnectionError('Connection error'), waiting 60s before retrying
log nginx for a PC

10.9.3.3 CN=4c4c4544-0058-3810-8032-b2c04f523434 FAILED: self signed certificate - [25/Sep/2024:19:51:48 +0200] "GET /licences.json HTTP/1.1" 400 208 "-" "wapt/2.5.5"
10.9.3.3 - NONE - [25/Sep/2024:19:51:48 +0200] "GET /licences.json HTTP/1.1" 401 17 "-" "wapt/2.5.5"
10.9.3.3 - NONE - [25/Sep/2024:19:51:48 +0200] "GET /licences.json HTTP/1.1" 401 17 "-" "wapt/2.5.5"
Enterprise license type 1500
Last edited by skoizer on 26 Sep 2024 - 08:21, edited 1 time.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

September 25, 2024 - 8:52 PM

I see from your presentation that you have

Code: Select all

use_kerberos=1
In your case, the Kerberos configuration does not appear to be functional

You can follow: https://www.wapt.fr/fr/doc-2.3/wapt-sec ... e-kerberos
High
skoizer
Messages: 54
Registration: June 19, 2018 - 4:45 PM

September 26, 2024 - 09:45

Good morning,
Thanks for your reply.
Yes, I have enabled Kerberos

But since we use a DNS alias for everything and the server is registered with a different name, it doesn't work.
I removed the Kerberos option

/opt/wapt/conf/waptserver.ini
[options]
secret_key = AEi2u6TD7XTGwlyDdrjkCwYtvCGk6zJ3ER4gjfyZ6rZoMxdJQtRvXgUMEwLlvibT
server_uuid = 29600a76-e04e-11ed-b4e3-005056bcfc82
wapt_huey_db = /opt/wapt/db/waptservertasks.sqlite
wapt_password = $pbkdf2-sha256$29000$3rv3HgNgTMmZM8bYO2eM8Q$sZoG5FmdqcXxhKIM6i.GBVAR7neQisG9JvIPLuiY0Ao
waptwua_folder = /var/www/waptwua
allow_unauthenticated_registration = True
allow_unauthenticated_connect = True
clients_signing_key = /opt/wapt/conf/ca-s09wapt-srv.local.lan.pem
clients_signing_certificate = /opt/wapt/conf/ca-s09wapt-srv.local.lan.crt
wapt_admin_group = WAPT_ADMIN
ldap_auth_server = mondc.local.lan.fr
ldap_auth_base_dn = DC=local,DC=lan
ldap_auth_ssl_enabled = False
token_secret_key = uSFS1mfW8l8wzJghdpMiKusI4qXVKhGUDuD6V9qkKvgr8DJqCW7CB1Vsyq3wkO7J
use_kerberos = False
clients_signing_crl = /var/www/ssl/ca-s09wapt-srv.local.lan.crl
clients_signing_crl_url = http://srvwapt.local.lan/wapt/ssl/ca-s0 ... al.lan.crl
ssl_additional_crls = /var/www/ssl
wads_enable = False
waptwua_enable = False
systemctl restart wapt*

I always make mistakes

10.9.3.16 CN=4c4c4544-0058-3810-8032-b2c04f523434 FAILED:self signed certificate - [26/Sep/2024:09:44:35 +0200] "GET /wapt-host/4c4c4544-0058-3810-8032-b2c04f523434.wapt HTTP/1.1" 400 208 "-" "wapt/2.5.5"
10.9.3.16 CN=4c4c4544-0058-3810-8032-b2c04f523434 FAILED:self signed certificate - [26/Sep/2024:09:44:36 +0200] "GET /licences.json HTTP/1.1" 400 208 "-" "wapt/2.5.5"
10.9.3.16 - NONE - [26/Sep/2024:09:44:36 +0200] "GET /licences.json HTTP/1.1" 401 17 "-" "wapt/2.5.5"
10.9.3.16 - NONE - [26/Sep/2024:09:44:36 +0200] "GET /licences.json HTTP/1.1" 401 17 "-" "wapt/2.5.5"
On the console, I see the PC 10.9.3.16 connected
but it's duplicated in this one... which isn't good

UUID 4C4C4544-0058-3810-8032-B2C04F523434
UUID of the new PC: 4c4c4544-0058-3810-8032-b2c04f523434
High
Locked

Return to "WAPT Server"


  • To go further with WAPT