[RESOLVED] SSLCertVerificationError after update from 2.5.5 to 2.6.0

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
cefinformatique
Messages: 31
Registration: May 26, 2023 - 2:25 p.m.

December 4, 2024 - 10:31

WAPT server: 2.6.0.16552-49ddf2d3-amd64 (Debian 12)
WAPT Console: 2.6.0.16552-49ddf2d3 (Debian 12)
WAPT Agent: 2.6.0.16552 (Windows 11 11:2 p.m.)
Edition: Enterprise

Good morning,

I updated my server (and console) from version 2.5.5 to 2.6.0, but after recreating and deploying the Windows agent, all my clients are showing a certificate verification error:

Code: Select all

2024-12-04 10:01:11,942 [waptcore WaptTaskManager 3356] ERROR Certificate check failed for https://wapt.mondomaine.fr/wapt/Packages and verify_cert True
2024-12-04 10:01:11,942 [waptcore WaptTaskManager 3356] CRITICAL Error merging Packages from wapt into db: HTTPSConnectionPool(host='wapt.mondomaine.fr', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1147)')))
2024-12-04 10:01:11,973 [waptcore WaptTaskManager 3356] CRITICAL Error merging Packages from wapt-host into db: HTTPSConnectionPool(host='wapt.mondomaine.fr', port=443): Max retries exceeded with url: /wapt-host/avw-adminwin.mondomaine.fr.wapt (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1147)')))
2024-12-04 10:01:12,129 [wapttasks WaptTaskManager 3356] INFO Running task Installation de avw-adminwin.mondomaine.fr(=6) (t che #10) created by console
HTTPSConnectionPool(host='wapt.mondomaine.fr', port=443): Max retries exceeded with url: /wapt-host/avw-adminwin.mondomaine.fr.wapt (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1147)')))
My certificate authority remains the same and is deployed in the store of each Windows client as a trusted root certificate authority.

I attempted a manual installation of agent 2.6.0 but the result remains the same.

Here is the content of wapt-get.ini on a Windows client:

Code: Select all

[global]
repo_url=https://wapt.mondomaine.fr/wapt
wapt_server=https://wapt.mondomaine.fr
verify_cert=1
use_repo_rules=1
use_kerberos=1
use_fqdn_as_uuid=1
use_ad_groups=1
allow_remote_reboot=1
allow_remote_shutdown=1
include_dmi_inventory=1
include_wmi_inventory=1
use_hostpackages=1
peercache_enable=0
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0

[waptwua]
enabled=1
default_allow=1
install_delay=3
download_scheduling=12h
install_scheduling=1d
install_at_shutdown=1
direct_download=False
include_potentially_superseded_updates=True
Last edited by cefinformatique on Dec 4, 2024 - 3:18 PM, edited 1 time.
High
fschelfaut
Messages: 30
Registration: Nov 7, 2024 - 12:22

December 4, 2024 - 2:19 PM

Hello,

Since WAPT version 2.6, we no longer directly use the Windows certificate store.
We now rely on the cacert.pem, located in the following directory:
C:\Program Files (x86)\wapt\lib\site-packages\certifi.

Furthermore, if you are using an internal CA, you must specify it when generating the agent.

On your end, you need to check the /opt/wapt/waptserver/ssl/cert.pem on your WAPT server to ensure it contains the full chain.
This means it must include three distinct sections starting with:
-----BEGIN CERTIFICATE-----
If this is not the case, it would explain your SSL certificate problem

, Flavien.
High
cefinformatique
Messages: 31
Registration: May 26, 2023 - 2:25 p.m.

December 4, 2024 - 3:18 PM

Hello,

OK, the problem is solved by adding my CA to the file C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem.

I will copy this file and deploy it via GPO to all my workstations to reconnect them to WAPT.

Thank you! :D
High
fschelfaut
Messages: 30
Registration: Nov 7, 2024 - 12:22

December 4, 2024 - 3:54 PM

Good morning,

Note that modifying this file C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem must be temporary!

Because with each new version of WAPT, this file can be rewritten and therefore your changes can be deleted.

The best approach would be to generate an agent and put Server certificate verification on Retrieve the certificate from the server This way, the agent will retrieve the full chain from the WAPT server. If all your agents are already on the latest version, then you need to use a dynamic configuration package.

Private repository -> Generate a package template -> Dynamic agent configuration
Afterwards Server certificate verification on Retrieve the certificate from the server
conf_dynamique_agent.PNG
conf_dynamique_agent.PNG (17.25 KB) Viewed 5121 times
On your end, you absolutely must check the file /opt/wapt/waptserver/ssl/cert.pem on your WAPT server that it contains the fullchain (3 Certificates)

Flavien
High
Locked

Return to "WAPT Server"


  • To go further with WAPT