Forum Tranquil IT

Bonjour,

Nous avons un certain nombre de machines dont les paquets sont en "NEED-INSTALL".
Lorsque je regarde les log nginx sur le serveur, j'ai une ligne : "CN=??? FAILED:self-signed certificate - "... (les ??? remplacent le nom de la machine agent).
Si je comprends bien, nginx attend que le client lui adresse un certificat signé par une authorité. Mais d'où pourrait venir ce certificat ?
Cordialement,
Damien

Bonjour,
Le certificat est délivré par le serveur WAPT au moment de l'enregistrement de l'agent. L'autorité délivrant ces certificats clients est indiquée dans la configuration nginx, exemple :

Code : Tout sélectionner

ssl_client_certificate "/opt/wapt/conf/ca-srvwapt.blemoigne.lan.crt";

Bien cordialement,
Bertrand

Bonjour,

Merci.
Dans la configuration nginx, ssl_client_certificate pointe bien sur le certificat du serveur (/opt/wapt/conf/ca-???.crt - remplament de ??? par le fqdn du serveur).
Donc, il semble que l'autorité du certificat est la bonne, non ?

Cordialement,
Damien
PS : WAPT serveur version 2.6.0.147392 sous Linux Debian bookworm

Bonjour,
oui donc ça veut dire qu'il y a un problème de "register" de l'agent sur le serveur. Si le certificat reste autosigné, l'agent n'est pas enregistré sur le serveur.
Il faudrait donc débugger l'un des agents en question.
En tant qu'administrateur (ou en tant que system avec "psexec -s -i cmd" si l'enregistrement se fait via Kerberos) :

Code : Tout sélectionner

wapt-get register -ldebug

Bonjour,

Je vous remercie pour votre aide.

Voici ce qu'affiche la commande (le fichier de log est en dessous) :

Code : Tout sélectionner

PS C:\Windows\system32> wapt-get register -ldebug
[DEBUG] Logging TSynLog with level=debug to C:\Program Files (x86)\wapt\log\wapt-get.log
2025-11-28 09:43:11,330 DEBUG Default encoding : utf-8
2025-11-28 09:43:11,330 DEBUG Caller: ['', 'register', '-ldebug']
2025-11-28 09:43:11,336 DEBUG Python path ['C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\python39.zip', 'C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\DLLs', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32\\lib', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\Pythonwin']
2025-11-28 09:43:11,336 INFO Using local waptservice configuration C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,337 DEBUG Config file: C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,337 INFO Using openssl OpenSSL 3.5.1 1 Jul 2025
2025-11-28 09:43:11,337 DEBUG Thread 8792 is connecting to wapt db
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
2025-11-28 09:43:11,347 INFO User Groups:[]
2025-11-28 09:43:11,347 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo global auth
2025-11-28 09:43:11,347 INFO WAPT base directory : C:\Program Files (x86)\wapt
Registering host against server: https://serveur_wapt
2025-11-28 09:43:11,347 DEBUG Loading ssl context with cert C:\Program Files (x86)\wapt\private\depot-secondaire.crt and key C:\Program Files (x86)\wapt\private\depot-secondaire.pem
2025-11-28 09:43:11,347 DEBUG Starting new HTTPS connection (1): serveur_wapt:443
2025-11-28 09:43:11,504 DEBUG https://serveur_wapt:443 "HEAD /ping HTTP/11" 200 0
2025-11-28 09:43:11,504 DEBUG Starting new HTTPS connection (1): serveur_wapt:443
2025-11-28 09:43:11,631 DEBUG https://serveur_wapt:443 "HEAD /ping HTTP/11" 200 0
2025-11-28 09:43:11,649 DEBUG Thread 8792 is connecting to wapt db
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,695 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,710 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,712 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Stores cert chain check in cache
2025-11-28 09:43:11,726 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt auth
2025-11-28 09:43:11,726 INFO Main repository: https://serveur_wapt/wapt
2025-11-28 09:43:11,743 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt-host auth
2025-11-28 09:43:11,758 DEBUG wapt_status timing: 0.10861897468566895 s
2025-11-28 09:43:11,774 DEBUG host_capabilities timing: 0.016238927841186523 s
20251128 08431242  ! rotat wapt-get 2.6.0.17392 TSynLog 2.3.11000 {4 1.80 1.18 13 3.9GB/8GB 4f7c1901}
20251128 08431242  !  +    TWaptServer.HttpRequest URL https://serveur_wapt/add_host_kerberos
20251128 08431243  ! debug      Get httpclient
20251128 08431243  !  +         TWaptServer.GetHttpClient(add_host_kerberos)
20251128 08431243  !  +                 InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08431243  !  -                 00.000.029
20251128 08431253  !  -         00.156.042
20251128 08431253  ! debug      mormot.net.client.THttpClientSocket(06d36a28) done httpclient
Please get login for login:
73-admin-mazziniad
Password:
2025-11-28 09:44:53,056 DEBUG DB Start transaction
2025-11-28 09:44:53,056 DEBUG DB Start transaction
2025-11-28 09:44:53,056 DEBUG DB commit
2025-11-28 09:44:53,056 DEBUG DB commit
2025-11-28 09:44:53,072 DEBUG DB Start transaction
2025-11-28 09:44:53,072 DEBUG DB Start transaction
2025-11-28 09:44:53,072 DEBUG DB commit
2025-11-28 09:44:53,072 DEBUG DB commit
2025-11-28 09:44:53,088 DEBUG DB Start transaction
2025-11-28 09:44:53,088 DEBUG DB commit
2025-11-28 09:44:53,104 INFO Got signed certificate from server. Issuer: serveur_wapt. CN: depot-secondaire
.HttpRequest URL https://serveur_wapt/add_host
20251128 08445248  ! debug      Get httpclient
20251128 08445248  !  +         TWaptServer.GetHttpClient(add_host)
20251128 08445248  !  +                 InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08445248  !  -                 00.000.008
20251128 08445253  !  -         00.081.663
20251128 08445253  ! debug      mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08445303  !  -    00.278.987
2025-11-28 09:44:53,525 INFO Save host key to C:\Program Files (x86)\wapt\private\depot-secondaire.pem
2025-11-28 09:44:53,541 INFO Save host cert to C:\Program Files (x86)\wapt\private\depot-secondaire.crt
2025-11-28 09:44:53,541 DEBUG DB Start transaction
2025-11-28 09:44:53,541 DEBUG DB Start transaction
2025-11-28 09:44:53,541 DEBUG DB commit
2025-11-28 09:44:53,541 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG DB Start transaction
2025-11-28 09:44:53,556 DEBUG DB Start transaction
2025-11-28 09:44:53,556 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG DB commit
2025-11-28 09:44:53,556 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo global auth
2025-11-28 09:44:53,556 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt auth
2025-11-28 09:44:53,572 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\depot-secondaire.pem for repo wapt-host auth
Host correctly registered against server https://serveur_wapt.

PS C:\Windows\system32>

Voici le fichier de log :

Code : Tout sélectionner

C:\Program Files (x86)\wapt\wapt-get.exe 2.6.0.17392 (2025-07-28 18:48:52)
Host=SRV-EWAP-30-731 User=admin-local CPU=4xIntel(R)Xeon(R)Silver4210CPU@2.20GHz[13.7MB](x86)*9-6-21767:fffb8b1f0332dafea9679fd100080000000400bc OS=25.0=10.0.20348 Wow64=1 Freq=1000000
Environment variables=ALLUSERSPROFILE=C:\ProgramData	APPDATA=C:\Users\admin-local\AppData\Roaming	CommonProgramFiles=C:\Program Files (x86)\Common Files	CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files	CommonProgramW6432=C:\Program Files\Common Files	COMPUTERNAME=SRV-EWAP-30-731	ComSpec=C:\Windows\system32\cmd.exe	CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1	DEFLOGDIR=C:\ProgramData\McAfee\Endpoint Security\Logs	DriverData=C:\Windows\System32\Drivers\DriverData	GOOGLE_API_KEY=no	GOOGLE_DEFAULT_CLIENT_ID=no	GOOGLE_DEFAULT_CLIENT_SECRET=no	HOMEDRIVE=C:	HOMEPATH=\Users\admin-local	LOCALAPPDATA=C:\Users\admin-local\AppData\Local	LOGONSERVER=\\DC-AT-01	NUMBER_OF_PROCESSORS=4	OPENSSL_CONF=C:\Program Files (x86)\wapt\openssl.cnf	OS=Windows_NT	Path=C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages\win32;C:\Program Files (x86)\wapt\;C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages\win32;C:\Program Files (x86)\wapt\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\wapt\DLLs;C:\Program Files (x86)\wapt\lib\site-packages;C:\Program Files (x86)\wapt	PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL	PROCESSOR_ARCHITECTURE=x86	PROCESSOR_ARCHITEW6432=AMD64	PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel	PROCESSOR_LEVEL=6	PROCESSOR_REVISION=5507	ProgramData=C:\ProgramData	ProgramFiles=C:\Program Files (x86)	ProgramFiles(x86)=C:\Program Files (x86)	ProgramW6432=C:\Program Files	PSModulePath=C:\Users\admin-local\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules	PUBLIC=C:\Users\Public	SystemDrive=C:	SystemRoot=C:\Windows	TEMP=C:\Users\ADMIN-~1\AppData\Local\Temp	TMP=C:\Users\ADMIN-~1\AppData\Local\Temp	USERDNSDOMAIN=AD.INT	USERDOMAIN=AD	USERDOMAIN_ROAMINGPROFILE=AD	USERNAME=admin-local	USERPROFILE=C:\Users\admin-local	windir=C:\Windows
TSynLog 2.3.11000 2025-11-28T08:43:12

20251128 08431242  ! rotat wapt-get 2.6.0.17392 TSynLog 2.3.11000 {4 1.80 1.18 13 3.9GB/8GB 4f7c1901}
20251128 08431242  !  +    TWaptServer.HttpRequest URL https://serveur_wapt/add_host_kerberos
20251128 08431243  ! debug 	Get httpclient
20251128 08431243  !  +    	TWaptServer.GetHttpClient(add_host_kerberos)
20251128 08431243  !  +    		InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08431243  !  -    		00.000.029
20251128 08431253  !  -    	00.156.042
20251128 08431253  ! debug 	mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08431629  !  -    03.782.244
20251128 08445248  !  +    TWaptServer.HttpRequest URL https://serveur_wapt/add_host
20251128 08445248  ! debug 	Get httpclient
20251128 08445248  !  +    	TWaptServer.GetHttpClient(add_host)
20251128 08445248  !  +    		InitHttpTlsContext(TLSContext 2387672, Url https://serveur_wapt, ServerCABundle C:\Program Files (x86)\wapt\ssl\server\racine.crt, ClientCertificatePath , ClientPrivateKeyPath , OnGetPrivateKeyPassword 29355088, OnPeerCertValidate 29355068)
20251128 08445248  !  -    		00.000.008
20251128 08445253  !  -    	00.081.663
20251128 08445253  ! debug 	mormot.net.client.THttpClientSocket(06d36a28) done httpclient
20251128 08445303  !  -    00.278.987
20251128 08445335  ! info  wapt-get terminate

Bonjour,
Pour compléter le diagnostique, voici le message d'erreur :

Code : Tout sélectionner

THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
  File "<string>", line 1662, in run
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 881, in run
    self._run()
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 1403, in _run
    self.result = self.wapt.download_packages(self.packagenames, usecache=self.usecache, printhook=self.printhook)
  File "C:\Program Files (x86)\wapt\common.py", line 5712, in download_packages
    res = self.get_repo(entry.repo).download_packages(entry,
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4679, in download_packages
    raise e
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4660, in download_packages
    fullpackagepath = waptwget(
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized

Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
  File "<string>", line 1662, in run
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 881, in run
    self._run()
  File "C:\Program Files (x86)\wapt\waptservice\waptservice_common.py", line 1403, in _run
    self.result = self.wapt.download_packages(self.packagenames, usecache=self.usecache, printhook=self.printhook)
  File "C:\Program Files (x86)\wapt\common.py", line 5712, in download_packages
    res = self.get_repo(entry.repo).download_packages(entry,
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4679, in download_packages
    raise e
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 4660, in download_packages
    fullpackagepath = waptwget(
Exception: THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized

Bonjour Damien,

damien.touraine a écrit : ↑15 déc. 2025 - 18:14 Pour compléter le diagnostique, voici le message d'erreur :
Code : Tout sélectionner
THttpClientSocket.WGet: HEAD server.domaine:80/remote-repo-http_2.6.0.17346-10_x64_windows_PROD.wapt failed as 401 Unauthorized
Traceback (most recent call last):
...

Est ce que vous n'auriez pas un repo_url=xxxxxx:80 (port 80) dans votre fichier wapt-get.ini? Le dépôt est aussi authentifié en ssl client, il faudrait que ce soit 443 ou bien un autre port ssl configuré sur le nginx.

Cordialement,

Denis

Bonjour,

Voici le fichier de configuration de la machine :

Code : Tout sélectionner

wapt-get.ini;[global]
wapt-get.ini;use_hostpackages=1
wapt-get.ini;peercache_enable=1
wapt-get.ini;use_kerberos=1
wapt-get.ini;use_fqdn_as_uuid=1
wapt-get.ini;use_ad_groups=1
wapt-get.ini;use_repo_rules=1
wapt-get.ini;allow_remote_reboot=1
wapt-get.ini;allow_remote_shutdown=1
wapt-get.ini;max_gpo_script_wait=180
wapt-get.ini;pre_shutdown_timeout=180
wapt-get.ini;hiberboot_enabled=0
wapt-get.ini;repo_url=https://server.domaine/wapt
wapt-get.ini;wapt_server=https://server.domaine
wapt-get.ini;verify_cert=C:\Program Files (x86)\wapt\ssl\server\racine.crt
wapt-get.ini;spn_domain=DOMAIN

Merci de votre aide.
Cordialement,
Damien

Bonjour,
Nous avons trouvé la source de l'erreur : le chemin du dépôt secondaire était en http et non en https.
Vous pouvez clore le sujet.
Cordialement,
Damien

Forum Tranquil IT

[RESOLU] Failed getting certificate : "FAILED:self-signed certificate"

[RESOLU] Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"

Re: Failed getting certificate : "FAILED:self-signed certificate"