Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

[RESOLVED] SSLCertVerificationError after update from 2.5.5 to 2.6.0

https://forum.tranquil.it/viewtopic.php?t=4125

Page 1 of 1

[RESOLVED] SSLCertVerificationError after update from 2.5.5 to 2.6.0

Published: Dec 4, 2024 - 10:31
by cefinformatique
WAPT server: 2.6.0.16552-49ddf2d3-amd64 (Debian 12)
WAPT Console: 2.6.0.16552-49ddf2d3 (Debian 12)
WAPT Agent: 2.6.0.16552 (Windows 11 11:2 p.m.)
Edition: Enterprise

Good morning,

I updated my server (and console) from version 2.5.5 to 2.6.0, but after recreating and deploying the Windows agent, all my clients are showing a certificate verification error:

Code: Select all

2024-12-04 10:01:11,942 [waptcore WaptTaskManager 3356] ERROR Certificate check failed for https://wapt.mondomaine.fr/wapt/Packages and verify_cert True
2024-12-04 10:01:11,942 [waptcore WaptTaskManager 3356] CRITICAL Error merging Packages from wapt into db: HTTPSConnectionPool(host='wapt.mondomaine.fr', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1147)')))
2024-12-04 10:01:11,973 [waptcore WaptTaskManager 3356] CRITICAL Error merging Packages from wapt-host into db: HTTPSConnectionPool(host='wapt.mondomaine.fr', port=443): Max retries exceeded with url: /wapt-host/avw-adminwin.mondomaine.fr.wapt (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1147)')))
2024-12-04 10:01:12,129 [wapttasks WaptTaskManager 3356] INFO Running task Installation de avw-adminwin.mondomaine.fr(=6) (t che #10) created by console
HTTPSConnectionPool(host='wapt.mondomaine.fr', port=443): Max retries exceeded with url: /wapt-host/avw-adminwin.mondomaine.fr.wapt (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1147)')))
My certificate authority remains the same and is deployed in the store of each Windows client as a trusted root certificate authority.

I attempted a manual installation of agent 2.6.0 but the result remains the same.

Here is the content of wapt-get.ini on a Windows client:

Code: Select all

[global]
repo_url=https://wapt.mondomaine.fr/wapt
wapt_server=https://wapt.mondomaine.fr
verify_cert=1
use_repo_rules=1
use_kerberos=1
use_fqdn_as_uuid=1
use_ad_groups=1
allow_remote_reboot=1
allow_remote_shutdown=1
include_dmi_inventory=1
include_wmi_inventory=1
use_hostpackages=1
peercache_enable=0
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0

[waptwua]
enabled=1
default_allow=1
install_delay=3
download_scheduling=12h
install_scheduling=1d
install_at_shutdown=1
direct_download=False
include_potentially_superseded_updates=True

Re: SSLCertVerificationError following update from 2.5.5 to 2.6.0

Published: Dec 4, 2024 - 2:19 PM
by fschelfaut
Hello,

Since WAPT version 2.6, we no longer directly use the Windows certificate store.
We now rely on the cacert.pem, located in the following directory:
C:\Program Files (x86)\wapt\lib\site-packages\certifi.

Furthermore, if you are using an internal CA, you must specify it when generating the agent.

On your end, you need to check the /opt/wapt/waptserver/ssl/cert.pem on your WAPT server to ensure it contains the full chain.
This means it must include three distinct sections starting with:
-----BEGIN CERTIFICATE-----
If this is not the case, it would explain your SSL certificate problem

, Flavien.

Re: SSLCertVerificationError following update from 2.5.5 to 2.6.0

Published: Dec 4, 2024 - 3:18 PM
by cefinformatique
Hello,

OK, the problem is solved by adding my CA to the file C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem.

I will copy this file and deploy it via GPO to all my workstations to reconnect them to WAPT.

Thank you! :D

Re: [RESOLVED] SSLCertVerificationError following update from 2.5.5 to 2.6.0

Published: Dec 4, 2024 - 3:54 PM
by fschelfaut
Good morning,

Note that modifying this file C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem must be temporary!

Because with each new version of WAPT, this file can be rewritten and therefore your changes can be deleted.

The best approach would be to generate an agent and put Server certificate verification on Retrieve the certificate from the server This way, the agent will retrieve the full chain from the WAPT server. If all your agents are already on the latest version, then you need to use a dynamic configuration package.

Private repository -> Generate a package template -> Dynamic agent configuration
Afterwards Server certificate verification on Retrieve the certificate from the server
conf_dynamique_agent.PNG
conf_dynamique_agent.PNG (17.25 KB) Viewed 5124 times
On your end, you absolutely must check the file /opt/wapt/waptserver/ssl/cert.pem on your WAPT server that it contains the fullchain (3 Certificates)

Flavien
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru