Tranquil IT Forum

Good morning,

WAPT version 1.7
Server: Debian 10
Console: Win 10

I am currently configuring the WAPT console on my administration workstation, following the documentation. Everything was going well until, in the console configuration, I checked the 'verify https server certificate' box.
The certificate is successfully retrieved from the server and placed in wapt/ssl/server/, but I immediately get SSL errors that appear in red in the configuration window:
I tried several things, without much success (including enable-check-certificate in a cmd window, then restarting the wapt service), but it doesn't change anything.
I can't even start the console anymore, I keep getting the same SSL error messages.

On the server, I replaced the self-signed certificates with those of my organization (replacing the cert.pem and key.pem files in /opt/wapt/waptserver/ssl/). The connection to the server's web interface works perfectly.

If someone can help me, because right now I don't really see the problem.

Thanks in advance
AND.

D,

Just a small point, if it helps:

When I run `wapt-get update` on the administration PC (Windows), I get the following error message:
(I changed the server name, of course)

Hello,

After further testing, the error doesn't occur when I check the "Verify the server's HTTPS certificate" option. In that case, I can click the "Verify" button and everything seems fine (no error message is displayed).
The problem arises when I click the "Retrieve HTTP Server Certificate" button:
In that case, it does retrieve the server's certificate (from Program Files (x86)/wapt/ssl/server/), and it's the correct certificate, but the connection errors appear.
This is a serious concern for me, because if I only check the box, it doesn't have the certificates (nothing in Program Files (x86)/wapt/ssl/server/), so I don't really understand what it's verifying (but I admit this certificate mechanism is rather unclear to me, and I could be wrong).

Could you please provide some information on this?

Thank you in advance
.

Hello,

In my opinion, you haven't specified the complete certificate chain on the nginx server:

https://www.wapt.fr/fr/doc/wapt-securit ... ganization

To specify a complete chain:
echo srvwapt.mydomain.lan.crt ca.crt > cert.pem


But as the documentation indicates
https://www.wapt.fr/fr/doc/wapt-securit ... wapt-agent,

if you are using a commercial certificate, it's simpler to set the value of verify_cert to 1.

Wapt will then use the Python Cerifi bundle (139 public certificate bundle...) to verify the connection:
C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem


Note that the agent configuration "C:\Program Files (x86)\wapt\wapt-get.ini"
is independent of the console configuration. "%localappdata%\waptconsole\waptconsole.ini"

Hello,

these certificate issues aren't very clear to me.

To be more precise, I'm using a Let's Encrypt certificate and the fullchain.pem file (the cert.pem file wasn't working properly, even in the server's web interface, precisely because of the incomplete chain).

The fullchain.pem file is supposed to provide this complete chain and did indeed resolve the problem with Firefox.
This is the file retrieved by the console (it's automatically renamed myserver.my.domain.crt, but contains the same information as the fullchain.pem file).

The files I have available with Let's Encrypt are: cert.pem, chain.pem, and fullchain.pem (the latter containing the contents of the other two). Even though the names and extensions differ, I think it corresponds to what's in the documentation.

Furthermore, the file myserver.my.domain.crt generated during certificate retrieval via the console does indeed contain two keys: one with my server's CN name and Let's Encrypt Authority X3 as the issuer, and the second with Let's Encrypt Authority X3 as the CN and DST Root CA X3 as the issuer.

I'm completely lost.

confess