WAPT Server Version: 2.1.2
WAPT Agent Version: 2.1.2.10652
WAPT Setup Version: 2.1.2.10652
WAPT Deploy Version: 2.1.2.10652
OS: Linux RHEL 7.9
Administration/Clients: Windows 7 and Windows 10
License: Enterprise
Hello,
The wildcard SSL certificate we use for various administration tools expired yesterday morning. I had renewed and installed it everywhere... or so I thought. This certificate is used, in particular, for WAPT, on the NGINX side. So, I updated the renewed certificate on our WAPT server for the first time and restarted NGINX. When I connect to our server's URL (i.e., https://xxx-wapt.xxxx.info), I can access our server's homepage, and the wildcard certificate is valid until 2023.
But on the WAPT console, I can't connect. When checking my local WAPT console configuration, if I uncheck "Verify HTTPS server certificate," the URLs of the main repository and the WAPT server are recognized as valid. If I check the same box, it no longer works. Clicking on "Retrieve HTTPS server certificate" correctly retrieves my certificate in "C:\Program Files (x86)\wapt\ssl\server," but this doesn't work with the checkbox selected.
After consulting the documentation, I saw that it's preferable to use the "verify_cert=1" option when using a commercial certificate. Indeed, with this option and the checkbox selected, the problem persists in my console.
However, when I type the command `wapt-get enable-check-certificate` on my own machine, I get a critical error: `
CRITICAL Common name of certificate (*.xxxx.info) does not match server hostname (xxx-wapt.xxxx.info)`.
This is surprising since it's the same type of certificate as before. I even tried repeating the postconf.sh procedure, but without success.
Now, my main problem is that I've lost all my monitored machines in the WAPT console. In fact, they're all there, but they're all in "DISCONNECTED" status, except for my own machine.
I updated a GPO where the wapt-get.ini file is deployed by adding the option `verify_cert=1` in the [global] section. I figured that if it worked for the console, it would work for the agent on the client machines. I pushed the GPO to the workstations yesterday while waiting for the WAPT service to restart this morning. My users are having trouble connecting.
Last night, I had two additional machines connected, so I thought everything would be back to normal, but this morning, no more machines are connected...
What did I do wrong, and how can I fix this problem?
Thank you in advance for your help.
[RESOLVED] Problem following renewal of a wildcard certificate
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
dcardon
- WAPT Expert
- Messages: 1929
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hi JM,
there have been some issues with wildcard certificates, not directly in the code, but in how they are retrieved and stored. The certificate is stored with its Certificate Number (CN), and in the case of a wildcard, there's an asterisk (*) in the CN, which isn't ideal for the file system.
Using `verify_cert=1` with the OS's certificate store works if the Certificate Authority (CA) is recognized by the OS.
If `verify_cert` is set to 1, there's no need to run `enable_verify_cert` (unless you're trying to pin the certificate).
There have been some fixes recently for this issue, but I don't know if they've been backported.
Best regards,
Denis
there have been some issues with wildcard certificates, not directly in the code, but in how they are retrieved and stored. The certificate is stored with its Certificate Number (CN), and in the case of a wildcard, there's an asterisk (*) in the CN, which isn't ideal for the file system.
Using `verify_cert=1` with the OS's certificate store works if the Certificate Authority (CA) is recognized by the OS.
If `verify_cert` is set to 1, there's no need to run `enable_verify_cert` (unless you're trying to pin the certificate).
There have been some fixes recently for this issue, but I don't know if they've been backported.
Best regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
