Hello,
We have several machines with packages that are marked "NEED-INSTALL".
When I look at the nginx logs on the server, I see a line: "CN=??? FAILED:self-signed certificate - "... (the ??? replace the agent machine name).
If I understand correctly, nginx expects the client to send it a certificate signed by an authority. But where could this certificate come from?
Best regards,
Damien
[SOLVED] Failed getting certificate: "FAILED:self-signed certificate"
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Good morning,
The certificate is issued by the WAPT server upon agent registration. The issuing authority for these client certificates is specified in the nginx configuration, for example:
Best regards,
Bertrand
The certificate is issued by the WAPT server upon agent registration. The issuing authority for these client certificates is specified in the nginx configuration, for example:
Code: Select all
ssl_client_certificate "/opt/wapt/conf/ca-srvwapt.blemoigne.lan.crt";Bertrand
-
Damien Touraine
- Messages: 13
- Registration: Nov 13, 2025 - 10:02
Hello,
Thank you.
In the nginx configuration, ssl_client_certificate correctly points to the server's certificate (/opt/wapt/conf/ca-???.crt - replace ??? with the server's FQDN).
So, it seems the certificate authority is correct, right?
Best regards,
Damien
PS: WAPT server version 2.6.0.147392 on Linux Debian bookworm
Thank you.
In the nginx configuration, ssl_client_certificate correctly points to the server's certificate (/opt/wapt/conf/ca-???.crt - replace ??? with the server's FQDN).
So, it seems the certificate authority is correct, right?
Best regards,
Damien
PS: WAPT server version 2.6.0.147392 on Linux Debian bookworm
Good morning,
Yes, so that means there's a problem with the agent's registration on the server. If the certificate remains self-signed, the agent isn't registered on the server.
Therefore, one of the agents in question would need to be debugged.
As administrator (or as system with "psexec -s -i cmd" if the registration is done via Kerberos):
Yes, so that means there's a problem with the agent's registration on the server. If the certificate remains self-signed, the agent isn't registered on the server.
Therefore, one of the agents in question would need to be debugged.
As administrator (or as system with "psexec -s -i cmd" if the registration is done via Kerberos):
Code: Select all
wapt-get register -ldebug-
Damien Touraine
- Messages: 13
- Registration: Nov 13, 2025 - 10:02
Good morning,
Thank you for your help.
Here is what the command displays (the log file is below):
Here is the log file:
Thank you for your help.
Here is what the command displays (the log file is below):
Code: Select all
PS C:\Windows\system32> wapt-get register -ldebug
[DEBUG] Logging TSynLog with level=debug to C:\Program Files (x86)\wapt\log\wapt-get.log
2025-11-28 09:43:11,330 DEBUG Default encoding : utf-8
2025-11-28 09:43:11,330 DEBUG Caller: ['', 'register', '-ldebug']
2025-11-28 09:43:11,336 DEBUG Python path ['C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\python39.zip', 'C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\DLLs', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32\\lib', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\Pythonwin']
2025-11-28 09:43:11,336 INFO Using local waptservice configuration C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,337 DEBUG Config file: C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,337 INFO Using openssl OpenSSL 3.5.1 1 Jul 2025
2025-11-28 09:43:11,337 DEBUG Thread 8792 is connecting to wapt db
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,347 INFO User Groups:[]
2025-11-28 09:43:11,347 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo global auth
2025-11-28 09:43:11,347 INFO WAPT base directory : C:\Program Files (x86)\wapt
Registering host against server: https://serveur_wapt
2025-11-28 09:43:11,347 DEBUG Loading ssl context with cert C:\Program Files (x86)\wapt\private\depot-secondaire.crt and key C:\Program Files (x86)\wapt\private\depot-secondaire.pem
2025-11-28 09:43:11,347 DEBUG Starting new HTTPS connection (1): serveur_wapt:443
2025-11-28 09:43:11,504 DEBUG https://serveur_wapt:443 "HEAD /ping HTTP/11" 200 0
2025-11-28 09:43:11,504 DEBUG Starting new HTTPS connection (1): serveur_wapt:443
2025-11-28 09:43:11,631 DEBUG https://serveur_wapt:443 "HEAD /ping HTTP/11" 200 0
2025-11-28 09:43:11,649 DEBUG Thread 8792 is connecting to wapt db
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,710 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt auth
2025-11-28 09:43:11,726 INFO Main repository: https://serveur_wapt/wapt
2025-11-28 09:43:11,743 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt-host auth
2025-11-28 09:43:11,758 DEBUG wapt_status timing: 0.10861897468566895 s
2025-11-28 09:43:11,774 DEBUG host_capabilities timing: 0.016238927841186523 s
20251128 08431242 ! rotat wapt-get 2.6.0.17392 TSynLog 2.3.11000 {4 1.80 1.18 13 3.9GB/8GB 4f7c1901}
20251128 08431242 ! + TWaptServer.HttpRequest URL https://serveur_wapt/add_host_kerberos
20251128 08431243 ! debug Get httpclient
20251128 08431243 ! + TWaptServer.GetHttpClient(add_host_kerberos)
20251128 08431243 ! + InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08431243 ! - 00.000.029
20251128 08431253 ! - 00.156.042
20251128 08431253 ! debug mormot.net.client.THttpClientSocket(06d36a28) done httpclient
Please get login for login:
73-admin-mazziniad
Password:
2025-11-28 09:44:53,056 DEBUG DB Start transaction
2025-11-28 09:44:53,056 DEBUG DB Start transaction
2025-11-28 09:44:53,056 DEBUG DB commit
2025-11-28 09:44:53,056 DEBUG DB commit
2025-11-28 09:44:53,072 DEBUG DB Start transaction
2025-11-28 09:44:53,072 DEBUG DB Start transaction
2025-11-28 09:44:53,072 DEBUG DB commit
2025-11-28 09:44:53,072 DEBUG DB commit
2025-11-28 09:44:53,088 DEBUG DB Start transaction
2025-11-28 09:44:53,088 DEBUG DB commit
2025-11-28 09:44:53,104 INFO Got signed certificate from server. Issuer: serveur_wapt. CN: depot-secondaire
.HttpRequest URL https://serveur_wapt/add_host
20251128 08445248 ! debug Get httpclient
20251128 08445248 ! + TWaptServer.GetHttpClient(add_host)
20251128 08445248 ! + InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08445248 ! - 00.000.008
20251128 08445253 ! - 00.081.663
20251128 08445253 ! debug mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08445303 ! - 00.278.987
2025-11-28 09:44:53,525 INFO Save host key to C:\Program Files (x86)\wapt\private\depot-secondaire.pem
2025-11-28 09:44:53,541 INFO Save host cert to C:\Program Files (x86)\wapt\private\depot-secondaire.crt
2025-11-28 09:44:53,541 DEBUG DB Start transaction
2025-11-28 09:44:53,541 DEBUG DB Start transaction
2025-11-28 09:44:53,541 DEBUG DB commit
2025-11-28 09:44:53,541 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG DB Start transaction
2025-11-28 09:44:53,556 DEBUG DB Start transaction
2025-11-28 09:44:53,556 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo global auth
2025-11-28 09:44:53,556 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt auth
2025-11-28 09:44:53,572 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt-host auth
Host correctly registered against server https://serveur_wapt.
PS C:\Windows\system32>
Code: Select all
C:\Program Files (x86)\wapt\wapt-get.exe 2.6.0.17392 (2025-07-28 18:48:52)
Host=SRV-EWAP-30-731 User=admin-local CPU=4xIntel(R)Xeon(R)Silver4210CPU@2.20GHz[13.7MB](x86)*9-6-21767:fffb8b1f0332dafea9679fd100080000000400bc OS=25.0=10.0.20348 Wow64=1 Freq=1000000
Environment variables=ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\admin-local\AppData\Roaming CommonProgramFiles=C:\Program Files (x86)\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=SRV-EWAP-30-731 ComSpec=C:\Windows\system32\cmd.exe CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 DEFLOGDIR=C:\ProgramData\McAfee\Endpoint Security\Logs DriverData=C:\Windows\System32\Drivers\DriverData GOOGLE_API_KEY=no GOOGLE_DEFAULT_CLIENT_ID=no GOOGLE_DEFAULT_CLIENT_SECRET=no HOMEDRIVE=C: HOMEPATH=\Users\admin-local LOCALAPPDATA=C:\Users\admin-local\AppData\Local LOGONSERVER=\\DC-AT-01 NUMBER_OF_PROCESSORS=4 OPENSSL_CONF=C:\Program Files (x86)\wapt\openssl.cnf OS=Windows_NT Path=C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages\win32;C:\Program Files (x86)\wapt\;C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages\win32;C:\Program Files (x86)\wapt\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages;C:\Program Files (x86)\wapt PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL PROCESSOR_ARCHITECTURE=x86 PROCESSOR_ARCHITEW6432=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=5507 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files (x86) ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=C:\Users\admin-local\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules PUBLIC=C:\Users\Public SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\ADMIN-~1\AppData\Local\Temp TMP=C:\Users\ADMIN-~1\AppData\Local\Temp USERDNSDOMAIN=AD.INT USERDOMAIN=AD USERDOMAIN_ROAMINGPROFILE=AD USERNAME=admin-local USERPROFILE=C:\Users\admin-local windir=C:\Windows
TSynLog 2.3.11000 2025-11-28T08:43:12
20251128 08431242 ! rotat wapt-get 2.6.0.17392 TSynLog 2.3.11000 {4 1.80 1.18 13 3.9GB/8GB 4f7c1901}
20251128 08431242 ! + TWaptServer.HttpRequest URL https://serveur_wapt/add_host_kerberos
20251128 08431243 ! debug Get httpclient
20251128 08431243 ! + TWaptServer.GetHttpClient(add_host_kerberos)
20251128 08431243 ! + InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08431243 ! - 00.000.029
20251128 08431253 ! - 00.156.042
20251128 08431253 ! debug mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08431629 ! - 03.782.244
20251128 08445248 ! + TWaptServer.HttpRequest URL https://serveur_wapt/add_host
20251128 08445248 ! debug Get httpclient
20251128 08445248 ! + TWaptServer.GetHttpClient(add_host)
20251128 08445248 ! + InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08445248 ! - 00.000.008
20251128 08445253 ! - 00.081.663
20251128 08445253 ! debug mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08445303 ! - 00.278.987
20251128 08445335 ! info wapt-get terminate
-
Damien Touraine
- Messages: 13
- Registration: Nov 13, 2025 - 10:02
Good morning,
To complete the diagnosis, here is the error message:
To complete the diagnosis, here is the error message:
Code: Select all
THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
File "<string>", line 1662, in run
File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 881, in run
self._run()
File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 1403, in _run
self.result = self.wapt.download_packages(self.packagenames, usecache=self.usecache, printhook=self.printhook)
File "C:\Program Files (x86)\wapt\common.py", line 5712, in download_packages
res = self.get_repo(entry.repo).download_packages(entry,
File "C:\Program Files (x86)\wapt\waptpackage.py", line 4679, in download_packages
raise e
File "C:\Program Files (x86)\wapt\waptpackage.py", line 4660, in download_packages
fullpackagepath = waptwget(
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
File "<string>", line 1662, in run
File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 881, in run
self._run()
File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 1403, in _run
self.result = self.wapt.download_packages(self.packagenames, usecache=self.usecache, printhook=self.printhook)
File "C:\Program Files (x86)\wapt\common.py", line 5712, in download_packages
res = self.get_repo(entry.repo).download_packages(entry,
File "C:\Program Files (x86)\wapt\waptpackage.py", line 4679, in download_packages
raise e
File "C:\Program Files (x86)\wapt\waptpackage.py", line 4660, in download_packages
fullpackagepath = waptwget(
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
-
dcardon
- WAPT Expert
- Messages: 1929
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello Damien,
Sincerely,
Denis
Could you have a `repo_url=xxxxxx:80` (port 80) in your `wapt-get.ini` file? The repository is also authenticated via SSL client; it should be port 443 or another SSL port configured on the Nginx server.damien.touraine wrote: ↑Dec 15, 2025 - 6:14 PM To complete the diagnosis, here is the error message:...Code: Select all
THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized Traceback (most recent call last):
Sincerely,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
-
Damien Touraine
- Messages: 13
- Registration: Nov 13, 2025 - 10:02
Good morning,
Here is the machine's configuration file:
Thank you for your help.
Sincerely,
Damien
Here is the machine's configuration file:
Code: Select all
wapt-get.ini;[global]
wapt-get.ini;use_hostpackages=1
wapt-get.ini;peercache_enable=1
wapt-get.ini;use_kerberos=1
wapt-get.ini;use_fqdn_as_uuid=1
wapt-get.ini;use_ad_groups=1
wapt-get.ini;use_repo_rules=1
wapt-get.ini;allow_remote_reboot=1
wapt-get.ini;allow_remote_shutdown=1
wapt-get.ini;max_gpo_script_wait=180
wapt-get.ini;pre_shutdown_timeout=180
wapt-get.ini;hiberboot_enabled=0
wapt-get.ini;repo_url=https://server.domaine/wapt
wapt-get.ini;wapt_server=https://server.domaine
wapt-get.ini;verify_cert=C:\Program Files (x86)\wapt\ssl\server\racine.crt
wapt-get.ini;spn_domain=DOMAIN
Sincerely,
Damien
-
Damien Touraine
- Messages: 13
- Registration: Nov 13, 2025 - 10:02
Hello,
We have found the source of the error: the secondary repository path was using http and not https.
You can close the issue.
Best regards,
Damien
We have found the source of the error: the secondary repository path was using http and not https.
You can close the issue.
Best regards,
Damien
