Hello,
this might be a silly question, but can WAPT clients use HTTPS server certificate verification with a self-signed certificate?
It's not very clear in this documentation:
https://www.wapt.fr/fr/doc/Installation ... ertificate
"This self-signed certificate will not be recognized by browsers and will not allow for proper verification of the WAPT server."
Thank you.
[RESOLVED] Valid SSL/TLS certificate for the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Yes, the WAPT client will verify the certificate, whether self-signed or not.
The difference is that for a commercial certificate, the client already has a list of certification authorities (from "certifi")
In the case of the "authorized" self-signed certificate (which the WAPT client trusts for HTTPS connections to the repository and server), it is distributed during the installation of the custom agent waptagent.exe. It is placed in C:\Program Files (x86)\wapt\ssl\server\ and is referenced in C:\Program Files (x86)\wapt\wapt-get.ini
via the "verify_cert" parameter
Post-checking can be enabled on a client using the command (cmd with Admin privileges elevation)
wapt-get enable-check-certificate
The difference is that for a commercial certificate, the client already has a list of certification authorities (from "certifi")
In the case of the "authorized" self-signed certificate (which the WAPT client trusts for HTTPS connections to the repository and server), it is distributed during the installation of the custom agent waptagent.exe. It is placed in C:\Program Files (x86)\wapt\ssl\server\ and is referenced in C:\Program Files (x86)\wapt\wapt-get.ini
via the "verify_cert" parameter
Code: Select all
[global]
...
verify_cert=C:\Program Files (x86)\wapt\ssl\server\srvwapt.ad.tranquil.it.crt
wapt-get enable-check-certificate
Tranquil IT
Okay, that's perfect!
In the WAPT configuration, I check the "Verify server HTTPS certificate" box, and specify
the path to the CA bundle. I click the "Get server HTTPS certificate" button, and it retrieves the certificate from C:\wapt\ssl\server\srwwapt.domain.crt.
When I validate, I get an error: "
Error connecting with SSL.
error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed."
Do I need to generate a new certificate? (Knowing that I changed the hostname along the way...)
Thanks
In the WAPT configuration, I check the "Verify server HTTPS certificate" box, and specify
the path to the CA bundle. I click the "Get server HTTPS certificate" button, and it retrieves the certificate from C:\wapt\ssl\server\srwwapt.domain.crt.
When I validate, I get an error: "
Error connecting with SSL.
error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed."
Do I need to generate a new certificate? (Knowing that I changed the hostname along the way...)
Thanks
The CN of the certificate used by the HTTPS server must match the hostname of the URL used to access the WAPT server (wapt_server and repo_url)
Tranquil IT
