Agent certificates via verif_cert

Share your tips or issues concerning the WAPT Console or WAPT Agent here
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Answer
yann83
Messages: 40
Registration: Apr 22, 2021 - 07:54

April 25, 2024 - 2:57 PM

Good morning

We use this configuration:
This is a WAPT Enterprise 2.5.4 server, version 15342
On a CentOS 7 server with Windows 10 22H2 Pro clients

I deployed the agents with waptdeploy and a few with waptagent.exe:
  • waptdeploy --hash etc...
Several depots have been deployed

The console is configured as follows:

Code: Select all

[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1
public_certs_dir=C:\Program Files (x86)\wapt\trusted_external_certs

[global]
repo_url=https://monserveur/wapt
send_usage_report=1
use_hostpackages=1
wapt_server=https://monserveur
use_kerberos=1
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
verify_cert=<chemin_utilisateur>\monserveur.crt
The agents are configured as follows:

Code: Select all

[global]
use_hostpackages=1
use_kerberos=1
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
repo_url=https://monserveur/wapt
wapt_server=https://monserveur.ramage
verify_cert=C:\Program Files (x86)\wapt\ssl\server\monserveur.crt
use_repo_rules=True
The WAPT agent was generated with a certificate: mycertificate.crt

In the logs on the workstations I have these errors:

Code: Select all

Error downloading package from http repository, please update... error : HTTPSConnectionPool(host='SERVEURDEPOT', port=443): Max retries exceeded with url: /wapt/firefox_115.7_16.92.6-1_x64_windows_PROD.wapt (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1131)')))
I am required to install the following on the client machines:

Code: Select all

verify_cert=0
Then I restart the service and it works.

I read the link about certificates: https://www.wapt.fr/fr/doc/wapt-securit ... ertificate

The order

Code: Select all

wapt-get enable-check-certificate
It doesn't return any errors to me.

Should I leave

Code: Select all

verify_cert=0
?

Otherwise, how do I validate the certificate?
High
User avatar
dcardon
WAPT Expert
Messages: 1932
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

May 3, 2024 - 4:22 PM

Hello Yann83,

the most common problem is that the DNS server name in the URL doesn't match the name(s) in the self-signed certificate. Could you please check the CN field and especially the subjectAltName field to ensure the DNS name is correctly present?

Regards,

Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
yann83
Messages: 40
Registration: Apr 22, 2021 - 07:54

May 6, 2024 - 08:17

I launched
wapt-get enable-check-certificate
The CN does indeed correspond to the DNS address.
The certificate is in the file
C:\Program Files (x86)\wapt\ssl\server\server.address.crt
Did I miss a step during the creation of the WAPT agent?

Should I have added the certificate directly to the generation process in addition to the package certificate?
04032_Compile_WAPT_agent.png
04032_Compiler_l'agent_WAPT.png (44.33 KB) Viewed 5113 times
High
Answer

Return to "WAPT usage (Console, Agent) / WAPT usage (Console, Agent)"


  • To go further with WAPT