Tranquil IT Forum

Hello,

I followed your documentation regarding replacing the server's SSL certificate.

https://www.wapt.fr/fr/doc/waptserver-i ... icate.html

But now my workstations won't download updates anymore. I have to go back to them to replace the public key in C:\Program Files (x86)\wapt\ssl\server. I'll have to create a GPO to fix this.

Do I need to generate a new version of the agent after this update?

I started this modification a bit carelessly, and now it's a mess. How do you envision this type of maintenance task to avoid breaking the connection between the server and the agents?

Hello Toma,

toma wrote: ↑June 28, 2019 - 2:57 PM I followed your documentation regarding replacing the server's SSL certificate.

https://www.wapt.fr/fr/doc/waptserver-i ... icate.html

But now my workstations won't download the updates anymore. I have to go back to them to replace the public key in C:\Program Files (x86)\wapt\ssl\server. I'll have to create a GPO to fix this.

Do I need to generate a new version of the agent after this update?

I started this modification a bit carelessly, and in the end, it's a mess. How do you envision this kind of maintenance task to avoid breaking the connection between the server and the agents?

If you had a self-signed certificate and requested certificate verification when creating the agent, the only way to perform the verification is by doing a certificate pinning... Hence the behavior you are observing (see the WAPT concept explanation pages in the documentation).

Certificate pinning occurs during agent generation, so it needs to be updated. If you have a waptdeploy GPO, you will need to add a --force option if the agent version has not been incremented.

The documentation you followed is for initial setup (it's in the "installation" section). I'll look into formalizing this in maintenance documentation.

Sincerely,

Denis

What you should have done in your case

is: Add the new (commercial) certificate to the end of the previously pinned certificate (the one in wapt\ssl\server\myserver.dom.lan.crt).
Then generate a new agent to push this new certificate bundle to all machines.

Once this new bundle is pushed to ALL your agents, then (and only then) can you change the key and certificate on the Nginx side.

The WAPT agent will then accept the new certificate since it will be in its bundle (if you change your mind, you can also restore the old one; it will also be accepted by the WAPT agent).

Generally, remember that WAPT will verify the HTTPS certificate using the information specified in the wapt-get.ini file, specifically in the `verify_cert` section of the global file. See the documentation:

https://www.wapt.fr/fr/doc/wapt-configu ... ertificate.

Before changing the certificate on the server side, you must ensure that the agents will accept the new certificate.

Note: I much prefer using pinning; it's simpler and just as secure.