Tranquil IT Forum

Hello everyone,

This weekend I changed my DNS and SAMBA domain name (still in nt4 mode). Since then, the agents are visible as connected in the console, but when I try to force an update on one of them, I get the following message:
The message is clear, there is a problem with the authentication and the certificate which refers to the old domain.
I found a page on the wiki that explains how to regenerate certificates in case of theft or loss, but I have the impression that this concerns the user certificate and not the one used by the server to communicate with the agents.

Is there a specific procedure?

Thanks in advance.
Philippe.

Hi Philippe,

are you using a self-signed certificate or a public certificate (Let's Encrypt, etc.)?

It seems you have `verify_cert=1` in your `wapt-get.ini` file, and the server name in the certificate doesn't match the one in the configuration. You can temporarily resolve this by setting `verify_cert=0` while you update the certificate settings.

Are you using certificate pinning? That is, do you have `verify_cert=c:\program files (x86)\wapt\ssl\moncertif.crt`?

On a Linux server, HTTPS certificates are stored in `/opt/wapt/waptserver/ssl` if you want to update them to reflect your new server name. However, if you're using pinning, this won't resolve the issue.

If this was just a test and you haven't yet deployed to production, you can wait for the next release. In the postconf file, we've integrated the ability to create a sub-certificate with the new server name in the subjectAltName, which should resolve the issue in this case.

Regards,

Denis

Good morning,

Thank you for your reply.

Are you using a self-signed certificate or a public certificate (Let's Encrypt, etc.)?

It's self-signed

It appears you have `verify_cert=1` in your `wapt-get.ini` file, and the server name in the certificate doesn't match the one in the configuration. You can temporarily resolve this by setting `verify_cert=0` while you update the certificate settings.

Oddly, in `verify_cert` I have the local path on the agent to the certificate. To test, I changed it to 0 and I regained control of the test agent in the console.

Are you using certificate pinning? That is, do you have a verify_cert=c:\program files (x86)\wapt\ssl\moncertif.crt?

I assumed so, based on the answer to your previous question

On the Linux server, the HTTPS certificates are stored in /opt/wapt/waptserver/ssl if you want to update them to reflect your new server name. However, if there's pinning, that won't resolve the issue.

I don't have a large network, so I can manually deploy the new certificate to the agents. Does the certificate need a specific configuration for WAPT, or is a standard certificate sufficient?

If this was just a test and you haven't yet deployed to production, you can wait for the next release. In the postconf, we've integrated the ability to create a sub-certificate with the new server name in the subjectAltName, which should resolve the issue in this case.

As they say: "Too late!"

Hi Philippe,

if you have Active Directory, you can push back the updated agent with the modified settings.

Regarding the self-signed HTTPS certificate, if you delete/move the certificates to /opt/wapt/waptserver/ssl, new certificates will be generated using the new server name. You need to carefully check the output of `hostname -f` to get the FQDN, which must be included in the `wapt-get.ini` file on the agents. Then, either pin the correct certificate (`wapt-get enable-check-certificate`) or set `verify_cert=0`.

Regards,

Denis