Hello,
my SSL certificate on my WAPT server is about to expire.
Due to a change of provider, the new certificate I obtained is not from the same certificate authority as the first one (generated two years ago).
How can I deploy this new certificate on my server without losing contact with my WAPT clients?
Currently, I'm verifying the server certificate using a certificate bundle containing the CAs from the old provider...
Thank you for your help.
Change of certification authority.
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Too bad, no response.
So I'll answer myself (it might be useful to someone else).
My plan:
I'm going to try deploying a package that disables pinning (verify_cert = 1) on the clients.
Since the certificates aren't self-signed, I'll keep valid SSL encryption.
Once this change is propagated to all clients, I'll change the certificates of my new CA on my WAPT server and verify that everything is still communicating correctly.
Regards,
So I'll answer myself (it might be useful to someone else).
My plan:
I'm going to try deploying a package that disables pinning (verify_cert = 1) on the clients.
Since the certificates aren't self-signed, I'll keep valid SSL encryption.
Once this change is propagated to all clients, I'll change the certificates of my new CA on my WAPT server and verify that everything is still communicating correctly.
Regards,
The procedure worked correctly; luckily I had a week or two to deploy the new configuration to the clients, otherwise, with certificate pinning and the CA change, a loss of connection with all clients would have been guaranteed.
Pay attention to the certificate bundle in nginx :
The public certificate bundle (/opt/wapt/waptserver/ssl/cert.pem) must include, in order, the server certificate first, then the intermediate certificates, and finally the root certificate. They were provided in reverse order by my provider (GEANT).
My personal conclusion: no pinning if you are using valid (non-self-signed) certificates.
Pay attention to the certificate bundle in nginx :
The public certificate bundle (/opt/wapt/waptserver/ssl/cert.pem) must include, in order, the server certificate first, then the intermediate certificates, and finally the root certificate. They were provided in reverse order by my provider (GEANT).
My personal conclusion: no pinning if you are using valid (non-self-signed) certificates.
