Tranquil IT Forum

Published: **July 5, 2018 - 2:17 PM**

Hello,

I'm deploying the WAPT agent using waptdeploy, with both a logon script and a GPO.

It works perfectly for most PCs, but for about ten (out of approximately 80) it fails to install.
I should clarify that the GPO is indeed a computer GPO (therefore with admin rights) and that the logon script uses an AutoIt script which also grants it local administrator rights (this worked perfectly with WAPT 1.3 and therefore here for the vast majority with WAPT 1.5).
Here's the error: (I've replaced my domain with xxxx)
-----------------------------------------------------------------------------------------------
WAPT required version: force
Wapt agent path: C:\Windows\TEMP\waptagent.exe
Wget new waptagent from https://wapt2.xxxx.local/wapt/waptagent.exe
Trying to reach https://wapt2.xxxx.local/wapt/waptagent.exe...
Reachable, downloading...
Done.
Cleanup...
An unhandled exception occurred at $00416608:
EFOpenError: Unable to open file "C:\Windows\TEMP\waptagent.exe"
$00416608
$004164B0
$00440216
$004047C9
-----------------------------------------------------------------------------------------------
The logon script (as admin)

\\Server\NETLOGON\waptdeploy.exe --hash=my_hash --minversion=1.5.1.23 --wait=15 --waptsetupurl=https://wapt2.xxxx.local/wapt/waptagent.exe
-----------------------------------------------------------------------------------------------

After quite a bit of research, I noticed that if I enter the address as http and not as https for wapturl, it works.
And this corresponds to the error: Unable to open file "C:\Windows\TEMP\waptagent.exe".
Waptdeploy apparently couldn't download Waptagent from the Wapt server via HTTPS.

I suspect a certificate is missing on some PCs, but I haven't deployed any specific certificates. Should I do this (via GPO?) and if so, which certificate and where? And why does it work on most PCs but not some?

This problem is very disruptive, and I'd rather not stay with HTTP because it might not work in a future version of Wapt (and I'm not sure it will work on all PCs via HTTP; I'm testing...).

Thanks.

Published: **July 5, 2018 - 5:36 PM**

Hello jojo57,

jojo57 wrote: ↑July 5, 2018 - 2:17 PM Hello,

I'm deploying the WAPT agent with waptdeploy, using both a logon script and a GPO.

It works perfectly for most PCs, but for about ten (out of approximately 80) it fails to install.
I want to clarify that the GPO is indeed a computer GPO (therefore with admin rights) and that the logon goes through an AutoIt script which also grants it local administrator rights (this worked perfectly with WAPT 1.3 and therefore here for the vast majority with WAPT 1.5).
Here's the error: (I replaced my domain with xxxx)
-----------------------------------------------------------------------------------------------
WAPT required version: force
Wapt agent path: C:\Windows\TEMP\waptagent.exe
Wget new waptagent from https://wapt2.xxxx.local/wapt/waptagent.exe
Trying to reach https://wapt2.xxxx.local/wapt/waptagent.exe...
Reachable, downloading...
Done.
Cleanup...
An unhandled exception occurred at $00416608:
EFOpenError: Unable to open file "C:\Windows\TEMP\waptagent.exe"
$00416608
$004164B0
$00440216
$004047C9
-----------------------------------------------------------------------------------------------
The logon script (as admin)

\\Server\NETLOGON\waptdeploy.exe --hash=my_hash --minversion=1.5.1.23 --wait=15 --waptsetupurl=https://wapt2.xxxx.local/wapt/waptagent.exe
-----------------------------------------------------------------------------------------------

After quite a bit of research, I noticed that if I enter the address as http and not as https for wapturl, it works.
And this corresponds to the error: Unable to open file "C:\Windows\TEMP\waptagent.exe".
Waptdeploy apparently couldn't download Waptagent from the Wapt server via HTTPS.

I suspect a certificate is missing on some PCs, but I haven't deployed any specific certificates. Should I do this (via GPO?) and if so, which certificate and where? And why does it work on most PCs but not some?

This problem is very disruptive, and I'd rather not stay with HTTP because it might not work in a future version of Wapt (and I'm not sure it will work on all PCs via HTTP; I'm testing...).

Thanks.

The download process doesn't seem to be causing any problems according to the logs. Did you check if your antivirus software deleted the file before it was executed?

Sincerely,

Denis

Published: **July 6, 2018 - 9:51 AM**

Hello,

Yes, I checked and the antivirus didn't delete anything. Besides, if it had, I think it would have also deleted the file downloaded via HTTP. And we have the same antivirus (corporate, with an agent) on all the workstations, so why some and not others? I suppose it's a certificate problem, but I don't see where.
However, I migrated from WAPT 1.3 to WAPT 1.5 (I installed a completely new server in WAPT 1.5, with a new prefix), and that might be the cause. In WAPT 1.3, the WAPT folder was directly under C:, and now it's in Program Files (x86). That might also be a clue. Since I switched to HTTP (2 days ago), 12 PCs have correctly registered in the WAPT console. But I'd prefer to fix this problem because I might still have some PCs that aren't registering (or won't register with a future version?).

Published: **July 6, 2018 - 11:47 AM**

I just tested it on my machine with
`wapt-get enable-check-certificate`

and the response is this:

Server certificate: C:\wapt\ssl\server\wapt2.xxxx.local.crt
FATAL ERROR: Exception: Common name of certificate (wapt2.xxxx.local) does not
match server hostname (wapt2.xxxx.local), aborting.

However, my console works fine and the PCs connect.
BUT, as I mentioned earlier, some PCs have Wapt installed in c:\wapt (since version 1.3) and others (more recent) in c:\program files(x86\wapt). Any connection?

Personally, I had to stay in c:\wapt because otherwise package compilation failed.
In short, my certificate seems valid, yet there's a problem.
I can't reinstall everything on all the PCs, though.

Thanks

Published: **July 6, 2018 - 6:29 PM**

It seems to me that waptdeploy uses the Windows API for downloading.

If the wapt server is configured with a self-signed certificate, Windows should recognize it.

Otherwise, you need to add "--waptsetupurl=http://wapt2.xxxx.local/wapt/waptagent.exe"

to specify that you want to download it via HTTP.

PS: There's no risk in downloading via HTTP because waptdeploy requires a hash.

Another point: it seems that by default, waptdeploy downloads via HTTP unless a wapt server is already installed. In that case, wapt will use the URL from wapt-get.ini, which is an HTTPS URL.

Generally, it's preferable to add --waptsetupurl=

Tranquil IT Forum

Problem with HTTPS? PC not recognized

Problem with HTTPS? PC not recognized

Re: Problem with HTTPS? PC not recognized

Re: Problem with HTTPS? PC not recognized

Re: Problem with HTTPS? PC not recognized

Re: Problem with HTTPS? PC not recognized