Tranquil IT Forum

Hello,

Following a merger between 2 companies, my Linux server, which was in the XXX.fr domain, is now in the YYY.org domain.

Since then, I have had various problems, mainly with Windows updates which do not install properly or at all.

When I check the client logs, I keep getting this message

: "Request signature verification failed: SSL signature verification failed for certificate {'organizationName': 'HP', 'commonName': '21CA61F1-9589-EC11-810F-C01803D8F19C'} issued by srvwapt.xxx.fr".

Upon closer inspection, I see that the certificates (in the private folder) on the clients were issued by the server srvwapt.xxx.fr.
The server certificate (in the client's SSL folder) hasn't changed.

My workstations have also changed from xxx.fr to yyy.fr, but I can see them in the console.

In the waptget.ini file on my workstations, I used the server's IP address instead of the FQDN, and it worked perfectly.

Therefore, I didn't reinstall the agents after the migration.

Is there a specific procedure to follow in this case:
- Resetting the database?
- Reinstalling agents on workstations?
- Creating a new certificate?
- Other...?

Thank you

Hello Jérôme,

WAPT version, server, etc. (see forum rules).

There are several ways to register a workstation on the WAPT server:
* by BIOS UUID (or random UUID)
* by FQDN.

If the agents were installed using UUID registration (the default), they will be able to register again on the server without any problem. They just need to be able to contact the server again and authenticate with their client certificate. The name of the original machine is referenced in the CA for client workstation authentication, but this is only for informational purposes; therefore, there are no issues with renaming or changing the domain.

For the HTTPS certificate, it must be recognized by the workstations. If the certificate was issued by a recognized authority by default (i.e., one present in the Windows certificate store, such as Verisign), there's nothing to do for the certificate to be recognized (as long as `verify_cert=1` tells the WAPT agent to use the Windows certificate store). If the HTTPS certificate isn't recognized, you either need to add it to the certificate store or pin it; see the WAPT documentation. But all of this isn't specific to WAPT; it's just standard HTTPS.

Then, the agent needs to point to the correct server. If you have the old server address in your local WAPT configuration, and you've renamed it on the server side, and SSL is enabled, of course, it's not going to work very well (unless you specified the SAN attribute when generating the new HTTPS certificate).

Regards,

Denis

WAPT Server version: 2.3.0.13516 Debian 11 Bulleyes
WAPT Agent version: 2.3.0.13516


Hello,
To clarify, I had installed WAPT on PCs in domain 1 and it worked perfectly.

We merged with another company and the PCs from domain 1 migrated to domain 2.
In this domain 2, I have both "old PCs" (domain 1) and new ones.

I redeployed the new wapt-get.ini file on all my old machines with the correct server and what I believe to be the correct settings.
I also deployed the new certificate to c:\....\wapt\ssl.

On the new PCs, I installed the agent from the new server.

The agents are working correctly, but I'm experiencing some strange issues I didn't have before:

From the console, I can't run the update checks (or anything else); nothing happens
on the old PCs. On the new PCs, if I type `wapt-get waptwua-install` with an admin account in the command prompt, I get an error. If I run it in admin mode, it works... (waptget_waptwuainstall.png). Is this normal?

Also, on a new PC, I'd like to install Nginx, so I downloaded the package, but when I try to deploy it, I get an error message. (error_deploy.png)
I checked the logs on the PC and there doesn't seem to be a problem.
I included my wapt-get.ini file and the log in the zip archive.

Thanks.

Hello,

you have all the symptoms of a certificate error.

Does the certificate you're signing with appear correctly in the machine's certificate tab (on the right)?

Simon