Problem verifying HTTPS server certificate in the console

Share your tips or issues concerning the WAPT Console or WAPT Agent here
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
etunilim
Messages: 9
Registration: Nov 15, 2019 - 11:17

November 20, 2019 - 4:44 PM

Good morning,

WAPT version 1.7
Server: Debian 10
Console: Win 10

I am currently configuring the WAPT console on my administration workstation, following the documentation. Everything was going well until, in the console configuration, I checked the 'verify https server certificate' box.
The certificate is successfully retrieved from the server and placed in wapt/ssl/server/, but I immediately get SSL errors that appear in red in the configuration window:

Code: Select all

error:14.90086:SSL routines:ssl3_get_server_certificate:certificate verify failed.
I tried several things, without much success (including enable-check-certificate in a cmd window, then restarting the wapt service), but it doesn't change anything.
I can't even start the console anymore, I keep getting the same SSL error messages.

On the server, I replaced the self-signed certificates with those of my organization (replacing the cert.pem and key.pem files in /opt/wapt/waptserver/ssl/). The connection to the server's web interface works perfectly.

If someone can help me, because right now I don't really see the problem.

Thanks in advance
AND.
High
etunilim
Messages: 9
Registration: Nov 15, 2019 - 11:17

November 20, 2019 - 4:54 PM

D,

Just a small point, if it helps:

When I run `wapt-get update` on the administration PC (Windows), I get the following error message:

Code: Select all

C:\windows\system32>wapt-get update
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Update package list from https://waptsrv.mondomaine.fr/wapt, https://waptsrv.mondomaine.fr/wapt-host
2019-11-20 15:45:25,494 CRITICAL Error merging Packages from https://waptsrv.mondomaine.fr/wapt into db: SSLError: HTTPSConnectionPool(host='waptsrv.mondomaine.fr', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
2019-11-20 15:45:25,588 CRITICAL Error merging Packages from https://waptsrv.mondomaine.fr/wapt-host into db: SSLError: HTTPSConnectionPool(host='waptsrv.mondomaine.fr', port=443): Max retries exceeded with url: /wapt-host/464E1D42-5112-5296-C225-3E9D7E0AA64D.wapt (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))C:\windows\system32>wapt-get update
(I changed the server name, of course)
High
etunilim
Messages: 9
Registration: Nov 15, 2019 - 11:17

November 22, 2019 - 11:28

Hello,

After further testing, the error doesn't occur when I check the "Verify the server's HTTPS certificate" option. In that case, I can click the "Verify" button and everything seems fine (no error message is displayed).
The problem arises when I click the "Retrieve HTTP Server Certificate" button:
In that case, it does retrieve the server's certificate (from Program Files (x86)/wapt/ssl/server/), and it's the correct certificate, but the connection errors appear.
This is a serious concern for me, because if I only check the box, it doesn't have the certificates (nothing in Program Files (x86)/wapt/ssl/server/), so I don't really understand what it's verifying (but I admit this certificate mechanism is rather unclear to me, and I could be wrong).

Could you please provide some information on this?

Thank you in advance
.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

November 22, 2019 - 12:44

Hello,

In my opinion, you haven't specified the complete certificate chain on the nginx server:

https://www.wapt.fr/fr/doc/wapt-securit ... ganization

To specify a complete chain:
echo srvwapt.mydomain.lan.crt ca.crt > cert.pem


But as the documentation indicates
https://www.wapt.fr/fr/doc/wapt-securit ... wapt-agent,

if you are using a commercial certificate, it's simpler to set the value of verify_cert to 1.

Wapt will then use the Python Cerifi bundle (139 public certificate bundle...) to verify the connection:
C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem


Note that the agent configuration "C:\Program Files (x86)\wapt\wapt-get.ini"
is independent of the console configuration. "%localappdata%\waptconsole\waptconsole.ini"
High
etunilim
Messages: 9
Registration: Nov 15, 2019 - 11:17

November 22, 2019 - 2:48 PM

Hello,

these certificate issues aren't very clear to me.

To be more precise, I'm using a Let's Encrypt certificate and the fullchain.pem file (the cert.pem file wasn't working properly, even in the server's web interface, precisely because of the incomplete chain).

The fullchain.pem file is supposed to provide this complete chain and did indeed resolve the problem with Firefox.
This is the file retrieved by the console (it's automatically renamed myserver.my.domain.crt, but contains the same information as the fullchain.pem file).

The files I have available with Let's Encrypt are: cert.pem, chain.pem, and fullchain.pem (the latter containing the contents of the other two). Even though the names and extensions differ, I think it corresponds to what's in the documentation.

Furthermore, the file myserver.my.domain.crt generated during certificate retrieval via the console does indeed contain two keys: one with my server's CN name and Let's Encrypt Authority X3 as the issuer, and the second with Let's Encrypt Authority X3 as the CN and DST Root CA X3 as the issuer.

I'm completely lost.

confess
High
Locked

Return to "WAPT usage (Console, Agent) / WAPT usage (Console, Agent)"


  • To go further with WAPT