[RESOLVED] SSL on WAPTHttpServer secondary repository

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
sterobo
Messages: 33
Registration: July 24, 2025 - 3:20 PM

January 29, 2026 - 2:55 PM

Good morning,

I am unable to get a secondary repository working over HTTPS with WAPTHttpServer (Windows, wapt 2.6.1.17472)
My configuration uses a CA specified in "verify_cert", which signs the main server (everything works correctly for it, but it probably does not use WAPTHttpServer)
The secondary repository certificate uses the same CA, the secondary repository appears to be accessible via HTTPS (everything is OK via a browser, the CA is the same as the one configured in verify_cert), but I get the following error when running wapt-get update:

Code: Select all

ERROR Certificate check failed for https://<fqdn dépôt secondaire>/wapt/Packages and verify_cert C:\Program Files (x86)\wapt\ssl\server\ca.crt
CRITICAL The rule <nom de règle> failed for repo wapt with repo_url https://<fqdn dépôt secondaire>/wapt : HTTPSConnectionPool(host='<fqdn dépôt secondaire>', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1017)')))
The submission rule seems correct (it worked over HTTP and the server was accessible)
The wapt logs, on the secondary repository side, do show access during tests with a browser (access443.log), but the error443.log file remains stubbornly empty...
I've read the posts and documentation that address these topics, but I'm a bit stuck...
Last edited by sterobo on 03 Apr 2026 - 15:12, edited 4 times.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

January 29, 2026 - 3:41 PM

Hello

, to understand correctly, you created a dedicated certificate for the secondary repository from your CA?

You then modified your wapthttpserver configuration to include this new certificate pair?

Is the certificate for the secondary repository the full chain?
High
sterobo
Messages: 33
Registration: July 24, 2025 - 3:20 PM

January 30, 2026 - 12:12

Hello, thank you for your reply.
The answer to the first two questions is yes, but I need to check about the full chain, though I don't think so. I'll look into that.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

January 30, 2026 - 2:20 PM

It is also necessary to verify that in wapt-get.ini

, verify_cert points correctly to the Root CA or the inter-CA, but not to the final server certificate.
High
sterobo
Messages: 33
Registration: July 24, 2025 - 3:20 PM

February 2, 2026 - 9:55 AM

Thanks for the replies.
I checked wapt-get.ini, but I seem to be getting the same error with the fullchain.

Access via the browser or even the console (if I set the secondary repository as the primary) is visible in access443.log, but there's still nothing in error443.log, and wapt-get update still fails.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

February 2, 2026 - 10:50

What does the following command return:

wapt-get update --force -ldebug?
High
sterobo
Messages: 33
Registration: July 24, 2025 - 3:20 PM

February 2, 2026 - 11:19

The same error occurs multiple times:

Code: Select all

...
2026-02-02 10:59:39,319 DEBUG Checking availability of https://<fqdn dépôt secondaire>/wapt/Packages
2026-02-02 10:59:39,319 DEBUG Starting new HTTPS connection (1): <fqdn dépôt secondaire>:443
2026-02-02 10:59:39,319 ERROR Certificate check failed for https://<fqdn dépôt secondaire>/wapt/Packages and verify_cert C:\Program Files (x86)\wapt\ssl\server\ca.crt
2026-02-02 10:59:39,319 CRITICAL The rule <nom de règle> failed for repo wapt with repo_url https://<fqdn dépôt secondaire>/wapt : HTTPSConnectionPool(host='<fqdn dépôt secondaire>', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1017)')))
...
But what intrigues me is that nothing is present in error443.log, as if the connection wasn't even attempted by wapt-get.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

February 2, 2026 - 1:01 PM

You will not see anything on the secondary repository side because it is the agent that is refusing the https connection because it considers the bundle to be invalid.

You can try it in pure Python:

Code: Select all

C:\Windows\System32>wapt-get shell
Python 3.11.14 (main, Dec 18 2025, 13:46:39) [MSC v.1929 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> import requests
>>> requests.get('https://reposecondaire.mydomain.lan',verify=r'C:\Program Files (x86)\wapt\ssl\server\ca.crt').content
But he should answer:

Code: Select all

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1017)
If it works with your browser, then either the full chain on the server side is missing (the intermediate part is missing)
Either the path: C:\Program Files (x86)\wapt\ssl\server\ca.crt does not point to the CA but to a final certificate (pinning)

Did you properly restart the HTTP server of the secondary repository after putting the fullchain on the secondary repository?
High
sterobo
Messages: 33
Registration: July 24, 2025 - 3:20 PM

February 2, 2026 - 1:21 PM

Okay, thanks! (I wasn't familiar with wapt-get shell :oops: .)
No pinning and the service restarted, but I checked the fullchain and it seemed there was a certificate order reversal (I had retrieved the browser's fullchain). It's working now! Thank you so much for your help!

Edit: Actually, no, there was no reversal, just no more error because it was no longer accessible and was switching to the fallback...
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

February 2, 2026 - 1:45 PM

Does it work with the curl command?

Code: Select all

curl https://reposecondaire.mydomain.lan --cacert "C:\Program Files (x86)\wapt\ssl\server\ca.crt"
High
Locked

Return to "WAPT Server"


  • To go further with WAPT