[RESUELTO] Error al obtener el certificado: "ERROR: certificado autofirmado"

Damián Touraine · 18 de noviembre de 2025 - 09:31

Hola,

tenemos varias máquinas con paquetes marcados como "NEED-INSTALL".
Al revisar los registros de nginx en el servidor, veo la siguiente línea: "CN=??? FAILED:self-signed certificate - "... (donde ??? reemplaza el nombre de la máquina agente).
Si no me equivoco, nginx espera que el cliente le envíe un certificado firmado por una autoridad. ¿Pero de dónde podría provenir este certificado?
Saludos cordiales,
Damien

21 de noviembre de 2025 - 13:42

Buen día,
El servidor WAPT emite el certificado al registrar el agente. La autoridad emisora de estos certificados de cliente se especifica en la configuración de nginx; por ejemplo:

Código: Seleccionar todo

ssl_client_certificate "/opt/wapt/conf/ca-srvwapt.blemoigne.lan.crt";

Atentamente,
Bertrand

Damián Touraine · 26 de noviembre de 2025 - 11:20

Hola,

gracias.
En la configuración de nginx, ssl_client_certificate apunta correctamente al certificado del servidor (/opt/wapt/conf/ca-???.crt - reemplace ??? con el FQDN del servidor).
Entonces, parece que la autoridad de certificación es correcta, ¿verdad?

Saludos cordiales,
Damien
PD: Versión del servidor WAPT 2.6.0.147392 en Linux Debian bookworm

26 de noviembre de 2025 - 11:58 AM

Buen día,
Sí, eso significa que hay un problema con el registro del agente en el servidor. Si el certificado sigue siendo autofirmado, el agente no está registrado en el servidor.
Por lo tanto, sería necesario depurar uno de los agentes en cuestión.
Como administrador (o como sistema con "psexec -s -i cmd" si el registro se realiza mediante Kerberos):

Código: Seleccionar todo

wapt-get register -ldebug

Damián Touraine · 28 de noviembre de 2025 - 13:26

Buen día,

Gracias por su ayuda.

Esto es lo que muestra el comando (el archivo de registro se encuentra a continuación):

Código: Seleccionar todo

PS C:\Windows\system32> wapt-get register -ldebug
[DEBUG] Logging TSynLog with level=debug to C:\Program Files (x86)\wapt\log\wapt-get.log
2025-11-28 09:43:11,330 DEBUG Default encoding : utf-8
2025-11-28 09:43:11,330 DEBUG Caller: ['', 'register', '-ldebug']
2025-11-28 09:43:11,336 DEBUG Python path ['C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\python39.zip', 'C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\DLLs', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32\\lib', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\Pythonwin']
2025-11-28 09:43:11,336 INFO Using local waptservice configuration C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,337 DEBUG Config file: C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,337 INFO Using openssl OpenSSL 3.5.1 1 Jul 2025
2025-11-28 09:43:11,337 DEBUG Thread 8792 is connecting to wapt db
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,347 INFO User Groups:[]
2025-11-28 09:43:11,347 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo global auth
2025-11-28 09:43:11,347 INFO WAPT base directory : C:\Program Files (x86)\wapt
Registering host against server: https://serveur_wapt
2025-11-28 09:43:11,347 DEBUG Loading ssl context with cert C:\Program Files (x86)\wapt\private\depot-secondaire.crt and key C:\Program Files (x86)\wapt\private\depot-secondaire.pem
2025-11-28 09:43:11,347 DEBUG Starting new HTTPS connection (1): serveur_wapt:443
2025-11-28 09:43:11,504 DEBUG https://serveur_wapt:443 "HEAD /ping HTTP/11" 200 0
2025-11-28 09:43:11,504 DEBUG Starting new HTTPS connection (1): serveur_wapt:443
2025-11-28 09:43:11,631 DEBUG https://serveur_wapt:443 "HEAD /ping HTTP/11" 200 0
2025-11-28 09:43:11,649 DEBUG Thread 8792 is connecting to wapt db
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,710 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt auth
2025-11-28 09:43:11,726 INFO Main repository: https://serveur_wapt/wapt
2025-11-28 09:43:11,743 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt-host auth
2025-11-28 09:43:11,758 DEBUG wapt_status timing: 0.10861897468566895 s
2025-11-28 09:43:11,774 DEBUG host_capabilities timing: 0.016238927841186523 s
20251128 08431242  ! rotat wapt-get 2.6.0.17392 TSynLog 2.3.11000 {4 1.80 1.18 13 3.9GB/8GB 4f7c1901}
20251128 08431242  !  +    TWaptServer.HttpRequest URL https://serveur_wapt/add_host_kerberos
20251128 08431243  ! debug      Get httpclient
20251128 08431243  !  +         TWaptServer.GetHttpClient(add_host_kerberos)
20251128 08431243  !  +                 InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08431243  !  -                 00.000.029
20251128 08431253  !  -         00.156.042
20251128 08431253  ! debug      mormot.net.client.THttpClientSocket(06d36a28) done httpclient
Please get login for login:
73-admin-mazziniad
Password:
2025-11-28 09:44:53,056 DEBUG DB Start transaction
2025-11-28 09:44:53,056 DEBUG DB Start transaction
2025-11-28 09:44:53,056 DEBUG DB commit
2025-11-28 09:44:53,056 DEBUG DB commit
2025-11-28 09:44:53,072 DEBUG DB Start transaction
2025-11-28 09:44:53,072 DEBUG DB Start transaction
2025-11-28 09:44:53,072 DEBUG DB commit
2025-11-28 09:44:53,072 DEBUG DB commit
2025-11-28 09:44:53,088 DEBUG DB Start transaction
2025-11-28 09:44:53,088 DEBUG DB commit
2025-11-28 09:44:53,104 INFO Got signed certificate from server. Issuer: serveur_wapt. CN: depot-secondaire
.HttpRequest URL https://serveur_wapt/add_host
20251128 08445248  ! debug      Get httpclient
20251128 08445248  !  +         TWaptServer.GetHttpClient(add_host)
20251128 08445248  !  +                 InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08445248  !  -                 00.000.008
20251128 08445253  !  -         00.081.663
20251128 08445253  ! debug      mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08445303  !  -    00.278.987
2025-11-28 09:44:53,525 INFO Save host key to C:\Program Files (x86)\wapt\private\depot-secondaire.pem
2025-11-28 09:44:53,541 INFO Save host cert to C:\Program Files (x86)\wapt\private\depot-secondaire.crt
2025-11-28 09:44:53,541 DEBUG DB Start transaction
2025-11-28 09:44:53,541 DEBUG DB Start transaction
2025-11-28 09:44:53,541 DEBUG DB commit
2025-11-28 09:44:53,541 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG DB Start transaction
2025-11-28 09:44:53,556 DEBUG DB Start transaction
2025-11-28 09:44:53,556 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo global auth
2025-11-28 09:44:53,556 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt auth
2025-11-28 09:44:53,572 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt-host auth
Host correctly registered against server https://serveur_wapt.

PS C:\Windows\system32>

Aquí está el archivo de registro:

Código: Seleccionar todo

C:\Program Files (x86)\wapt\wapt-get.exe 2.6.0.17392 (2025-07-28 18:48:52)
Host=SRV-EWAP-30-731 User=admin-local CPU=4xIntel(R)Xeon(R)Silver4210CPU@2.20GHz[13.7MB](x86)*9-6-21767:fffb8b1f0332dafea9679fd100080000000400bc OS=25.0=10.0.20348 Wow64=1 Freq=1000000
Environment variables=ALLUSERSPROFILE=C:\ProgramData	APPDATA=C:\Users\admin-local\AppData\Roaming	CommonProgramFiles=C:\Program Files (x86)\Common Files	CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files	CommonProgramW6432=C:\Program Files\Common Files	COMPUTERNAME=SRV-EWAP-30-731	ComSpec=C:\Windows\system32\cmd.exe	CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1	DEFLOGDIR=C:\ProgramData\McAfee\Endpoint Security\Logs	DriverData=C:\Windows\System32\Drivers\DriverData	GOOGLE_API_KEY=no	GOOGLE_DEFAULT_CLIENT_ID=no	GOOGLE_DEFAULT_CLIENT_SECRET=no	HOMEDRIVE=C:	HOMEPATH=\Users\admin-local	LOCALAPPDATA=C:\Users\admin-local\AppData\Local	LOGONSERVER=\\DC-AT-01	NUMBER_OF_PROCESSORS=4	OPENSSL_CONF=C:\Program Files (x86)\wapt\openssl.cnf	OS=Windows_NT	Path=C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages\win32;C:\Program Files (x86)\wapt\;C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages\win32;C:\Program Files (x86)\wapt\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages;C:\Program Files (x86)\wapt	PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL	PROCESSOR_ARCHITECTURE=x86	PROCESSOR_ARCHITEW6432=AMD64	PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel	PROCESSOR_LEVEL=6	PROCESSOR_REVISION=5507	ProgramData=C:\ProgramData	ProgramFiles=C:\Program Files (x86)	ProgramFiles(x86)=C:\Program Files (x86)	ProgramW6432=C:\Program Files	PSModulePath=C:\Users\admin-local\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules	PUBLIC=C:\Users\Public	SystemDrive=C:	SystemRoot=C:\Windows	TEMP=C:\Users\ADMIN-~1\AppData\Local\Temp	TMP=C:\Users\ADMIN-~1\AppData\Local\Temp	USERDNSDOMAIN=AD.INT	USERDOMAIN=AD	USERDOMAIN_ROAMINGPROFILE=AD	USERNAME=admin-local	USERPROFILE=C:\Users\admin-local	windir=C:\Windows
TSynLog 2.3.11000 2025-11-28T08:43:12

20251128 08431242  ! rotat wapt-get 2.6.0.17392 TSynLog 2.3.11000 {4 1.80 1.18 13 3.9GB/8GB 4f7c1901}
20251128 08431242  !  +    TWaptServer.HttpRequest URL https://serveur_wapt/add_host_kerberos
20251128 08431243  ! debug 	Get httpclient
20251128 08431243  !  +    	TWaptServer.GetHttpClient(add_host_kerberos)
20251128 08431243  !  +    		InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08431243  !  -    		00.000.029
20251128 08431253  !  -    	00.156.042
20251128 08431253  ! debug 	mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08431629  !  -    03.782.244
20251128 08445248  !  +    TWaptServer.HttpRequest URL https://serveur_wapt/add_host
20251128 08445248  ! debug 	Get httpclient
20251128 08445248  !  +    	TWaptServer.GetHttpClient(add_host)
20251128 08445248  !  +    		InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08445248  !  -    		00.000.008
20251128 08445253  !  -    	00.081.663
20251128 08445253  ! debug 	mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08445303  !  -    00.278.987
20251128 08445335  ! info  wapt-get terminate

Damián Touraine · 15 de diciembre de 2025 - 18:14

Buen día,
Para completar el diagnóstico, aquí está el mensaje de error:

Código: Seleccionar todo

THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
  File "<string>", line 1662, in run
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 881, in run
    self._run()
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 1403, in _run
    self.result = self.wapt.download_packages(self.packagenames, usecache=self.usecache, printhook=self.printhook)
  File "C:\Program Files (x86)\wapt\common.py", line 5712, in download_packages
    res = self.get_repo(entry.repo).download_packages(entry,
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4679, in download_packages
    raise e
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4660, in download_packages
    fullpackagepath = waptwget(
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized

Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
  File "<string>", line 1662, in run
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 881, in run
    self._run()
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 1403, in _run
    self.result = self.wapt.download_packages(self.packagenames, usecache=self.usecache, printhook=self.printhook)
  File "C:\Program Files (x86)\wapt\common.py", line 5712, in download_packages
    res = self.get_repo(entry.repo).download_packages(entry,
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4679, in download_packages
    raise e
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4660, in download_packages
    fullpackagepath = waptwget(
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized

16 de diciembre de 2025 - 09:01

Hola Damien,

damien.touraine escribió: ↑15 de diciembre de 2025 - 18:14 Para completar el diagnóstico, aquí está el mensaje de error:
Código: Seleccionar todo
THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
...

¿Podrías tener un `repo_url=xxxxxx:80` (puerto 80) en tu archivo `wapt-get.ini`? El repositorio también se autentica mediante un cliente SSL; debería ser el puerto 443 u otro puerto SSL configurado en el servidor Nginx.

Atentamente,

Denis

Damián Touraine · 16 de diciembre de 2025 - 13:11

Buen día,

Aquí está el archivo de configuración de la máquina:

Código: Seleccionar todo

wapt-get.ini;[global]
wapt-get.ini;use_hostpackages=1
wapt-get.ini;peercache_enable=1
wapt-get.ini;use_kerberos=1
wapt-get.ini;use_fqdn_as_uuid=1
wapt-get.ini;use_ad_groups=1
wapt-get.ini;use_repo_rules=1
wapt-get.ini;allow_remote_reboot=1
wapt-get.ini;allow_remote_shutdown=1
wapt-get.ini;max_gpo_script_wait=180
wapt-get.ini;pre_shutdown_timeout=180
wapt-get.ini;hiberboot_enabled=0
wapt-get.ini;repo_url=https://server.domaine/wapt
wapt-get.ini;wapt_server=https://server.domaine
wapt-get.ini;verify_cert=C:\Program Files (x86)\wapt\ssl\server\racine.crt
wapt-get.ini;spn_domain=DOMAIN

Gracias por su ayuda.
Atentamente,
Damián

Damián Touraine · 16 de diciembre de 2025 - 13:49

Hola,
hemos encontrado la causa del error: la ruta del repositorio secundario utilizaba http y no https.
Puedes cerrar el problema.
Saludos cordiales,
Damien