Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

Wapt server points to external Ionos domain

https://forum.tranquil.it/viewtopic.php?t=4264

Page 1 of 1

Wapt server points to external Ionos domain

Published: March 27, 2025 - 11:03
by maintenancevla
Hello,

we've been using the free version of Wapt for a long time because we don't have the budget, and I thank you for updating the packages on my IT infrastructure.

Now I'd like the schools in my community to also benefit from a local Wapt server in order to create a specific group and access certain users who don't always have the VPN enabled.

Currently, we're using a self-signed, therefore "insecure," certificate via the browser.

Can I retrieve the certificate from the IONOS subdomain and implement it on the Wapt server?
If so, do you have a tutorial to follow?

That way I could follow your final configuration:
https://www.tranquil.it/comment-gerer-d ... avec-wapt/

Thank you in advance.

Re: Wapt server points to external Ionos domain

Published: March 27, 2025 - 11:14
by dcardon
Hello Maintenance,

Wapt version, OS version, etc. See forum rules above.

Regards,

Denis

Re: Wapt server points to external Ionos domain

Published: March 27, 2025 - 11:22
by maintenancevla
- Installed WAPT version: 2.6.0.16795
- Server OS: Debian 11
- Administration/package creation machine OS: Windows Server 2019

Re: Wapt server points to external Ionos domain

Published: March 27, 2025 - 11:35
by sfonteneau
maintenancevla wrote: March 27, 2025 - 11:03 For the time being we are using a self-signed certificate therefore "not secure" via browser.
Why is a signed auto-debit card therefore considered "unsecured"?

If you "pin" the certificate, it's even more secure!

I just advise you to pin the certificate

Re: Wapt server points to external Ionos domain

Published: March 28, 2025 - 11:21
by dcardon
Hello Gilhem,

as Simon mentioned, using a self-signed certificate isn't a problem as long as the certificate is pinned and `verify_cert` is set to 1. However, the "homepage" will appear as insecure in a browser, but this isn't a security bug per se.

From version 2.6 onwards, there's client-side SSL certificate security by default (hence my question about the WAPT version), so there's no problem putting the WAPT server in a DMZ accessible from the internet. However, you must be properly logged in (via Kerberos or login/password).

It's possible to integrate your commercial SSL certificate into the WAPT server, see [1]. That said, you will also need to update the configuration on the existing agents (if the certificate is pinned and `verify_cert=1`), by redeploying the new agent via WAPT (with two servers running in parallel) or via GPO (if the workstations are on a domain).

Regards,

Denis

[1] https://www.wapt.fr/en/doc/wapt-securit ... ganization
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru