Tranquil IT Forum

Published: **January 29, 2026 - 2:55 PM**

Good morning,

I am unable to get a secondary repository working over HTTPS with WAPTHttpServer (Windows, wapt 2.6.1.17472)
My configuration uses a CA specified in "verify_cert", which signs the main server (everything works correctly for it, but it probably does not use WAPTHttpServer)
The secondary repository certificate uses the same CA, the secondary repository appears to be accessible via HTTPS (everything is OK via a browser, the CA is the same as the one configured in verify_cert), but I get the following error when running wapt-get update:

Code: Select all

ERROR Certificate check failed for https://<fqdn dépôt secondaire>/wapt/Packages and verify_cert C:\Program Files (x86)\wapt\ssl\server\ca.crt
CRITICAL The rule <nom de règle> failed for repo wapt with repo_url https://<fqdn dépôt secondaire>/wapt : HTTPSConnectionPool(host='<fqdn dépôt secondaire>', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1017)')))

The submission rule seems correct (it worked over HTTP and the server was accessible)
The wapt logs, on the secondary repository side, do show access during tests with a browser (access443.log), but the error443.log file remains stubbornly empty...
I've read the posts and documentation that address these topics, but I'm a bit stuck...

Published: **January 29, 2026 - 3:41 PM**

Hello

, to understand correctly, you created a dedicated certificate for the secondary repository from your CA?

You then modified your wapthttpserver configuration to include this new certificate pair?

Is the certificate for the secondary repository the full chain?

Published: **January 30, 2026 - 12:12 PM**

Hello, thank you for your reply.
The answer to the first two questions is yes, but I need to check about the full chain, though I don't think so. I'll look into that.

Published: **January 30, 2026 - 2:20 PM**

It is also necessary to verify that in wapt-get.ini

, verify_cert points correctly to the Root CA or the inter-CA, but not to the final server certificate.

Published: **February 2, 2026 - 9:55 AM**

Thanks for the replies.
I checked wapt-get.ini, but I seem to be getting the same error with the fullchain.

Access via the browser or even the console (if I set the secondary repository as the primary) is visible in access443.log, but there's still nothing in error443.log, and wapt-get update still fails.

Published: **February 2, 2026 - 10:50 AM**

What does the following command return:

wapt-get update --force -ldebug?

Published: **February 2, 2026 - 11:19 AM**

The same error occurs multiple times:

Code: Select all

...
2026-02-02 10:59:39,319 DEBUG Checking availability of https://<fqdn dépôt secondaire>/wapt/Packages
2026-02-02 10:59:39,319 DEBUG Starting new HTTPS connection (1): <fqdn dépôt secondaire>:443
2026-02-02 10:59:39,319 ERROR Certificate check failed for https://<fqdn dépôt secondaire>/wapt/Packages and verify_cert C:\Program Files (x86)\wapt\ssl\server\ca.crt
2026-02-02 10:59:39,319 CRITICAL The rule <nom de règle> failed for repo wapt with repo_url https://<fqdn dépôt secondaire>/wapt : HTTPSConnectionPool(host='<fqdn dépôt secondaire>', port=443): Max retries exceeded with url: /wapt/Packages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1017)')))
...

But what intrigues me is that nothing is present in error443.log, as if the connection wasn't even attempted by wapt-get.

Published: **February 2, 2026 - 1:01 PM**

You will not see anything on the secondary repository side because it is the agent that is refusing the https connection because it considers the bundle to be invalid.

You can try it in pure Python:

Code: Select all

C:\Windows\System32>wapt-get shell
Python 3.11.14 (main, Dec 18 2025, 13:46:39) [MSC v.1929 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> import requests
>>> requests.get('https://reposecondaire.mydomain.lan',verify=r'C:\Program Files (x86)\wapt\ssl\server\ca.crt').content

But he should answer:

Code: Select all

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1017)

If it works with your browser, then either the full chain on the server side is missing (the intermediate part is missing)
Either the path: C:\Program Files (x86)\wapt\ssl\server\ca.crt does not point to the CA but to a final certificate (pinning)

Did you properly restart the HTTP server of the secondary repository after putting the fullchain on the secondary repository?

Published: **February 2, 2026 - 1:21 PM**

Okay, thanks! (I wasn't familiar with wapt-get shell

.)
No pinning and the service restarted, but I checked the fullchain and it seemed there was a certificate order reversal (I had retrieved the browser's fullchain). It's working now! Thank you so much for your help!

Edit: Actually, no, there was no reversal, just no more error because it was no longer accessible and was switching to the fallback...

Published: **February 2, 2026 - 1:45 PM**

Does it work with the curl command?

Code: Select all

curl https://reposecondaire.mydomain.lan --cacert "C:\Program Files (x86)\wapt\ssl\server\ca.crt"

Tranquil IT Forum

[RESOLVED] SSL on WAPTHttpServer secondary repository

[RESOLVED] SSL on WAPTHttpServer secondary repository

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer

Re: SSL on secondary repository WAPTHttpServer