Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

Agent certificates via verif_cert

https://forum.tranquil.it/viewtopic.php?t=3873

Page 1 of 1

Agent certificates via verif_cert

Published: April 25, 2024 - 2:57 PM
by yann83
Good morning

We use this configuration:
This is a WAPT Enterprise 2.5.4 server, version 15342
On a CentOS 7 server with Windows 10 22H2 Pro clients

I deployed the agents with waptdeploy and a few with waptagent.exe:
  • waptdeploy --hash etc...
Several depots have been deployed

The console is configured as follows:

Code: Select all

[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1
public_certs_dir=C:\Program Files (x86)\wapt\trusted_external_certs

[global]
repo_url=https://monserveur/wapt
send_usage_report=1
use_hostpackages=1
wapt_server=https://monserveur
use_kerberos=1
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
verify_cert=<chemin_utilisateur>\monserveur.crt
The agents are configured as follows:

Code: Select all

[global]
use_hostpackages=1
use_kerberos=1
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
repo_url=https://monserveur/wapt
wapt_server=https://monserveur.ramage
verify_cert=C:\Program Files (x86)\wapt\ssl\server\monserveur.crt
use_repo_rules=True
The WAPT agent was generated with a certificate: mycertificate.crt

In the logs on the workstations I have these errors:

Code: Select all

Error downloading package from http repository, please update... error : HTTPSConnectionPool(host='SERVEURDEPOT', port=443): Max retries exceeded with url: /wapt/firefox_115.7_16.92.6-1_x64_windows_PROD.wapt (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1131)')))
I am required to install the following on the client machines:

Code: Select all

verify_cert=0
Then I restart the service and it works.

I read the link about certificates: https://www.wapt.fr/fr/doc/wapt-securit ... ertificate

The order

Code: Select all

wapt-get enable-check-certificate
It doesn't return any errors to me.

Should I leave

Code: Select all

verify_cert=0
?

Otherwise, how do I validate the certificate?

Re: Agent certificates via verif_cert

Published: May 3, 2024 - 4:22 PM
by dcardon
Hello Yann83,

the most common problem is that the DNS server name in the URL doesn't match the name(s) in the self-signed certificate. Could you please check the CN field and especially the subjectAltName field to ensure the DNS name is correctly present?

Regards,

Denis

Re: Agent certificates via verif_cert

Published: May 6, 2024 - 08:17
by yann83
I launched
wapt-get enable-check-certificate
The CN does indeed correspond to the DNS address.
The certificate is in the file
C:\Program Files (x86)\wapt\ssl\server\server.address.crt
Did I miss a step during the creation of the WAPT agent?

Should I have added the certificate directly to the generation process in addition to the package certificate?
04032_Compile_WAPT_agent.png
04032_Compiler_l'agent_WAPT.png (44.33 KB) Viewed 5116 times
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru