Attention : support for WAPT 1.8.2 ended on June the 30th 2022.

There are known vulnerabilities in WAPT dependencies in WAPT 1.8.2 branch. Please upgrade to the latest supported version. CVE listing (non exhaustive) :
  • * python engine : python 2.7 (CVE-2020-10735, CVE-2015-20107, CVE-2022-0391, CVE-2021-23336, CVE-2021-3177, CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492, etc.)
  • * cryptography : openssl : CVE-2022-2068, CVE-2022-1292, CVE-2022-0778, CVE-2021-4160, CVE-2021-3712, CVE-2021-23841, CVE-2021-23840, CVE-2021-23839, CVE-2020-1971, CVE-2020-1968, CVE-2019-1551
  • * python dependencies : cryptography (CVE-2020-36242, CVE-2020-25659), eventlet (CVE-2021-21419), jinja2 (CVE-2020-28493), psutil (CVE-2019-18874), waitress (CVE-2022-31015), lxml (CVE-2021-4381, CVE-2021-28957, CVE-2020-27783, CVE-2018-19787), ujson (CVE-2022-31117, CVE-2022-31116, CVE-2021-45958), python-ldap (CVE-2021-46823)

Activating the verification of the SSL / TLS certificate

When running the WAPT Server post-configuration script, the script will generate a self-signed certificate in order to enable HTTPS communications.

The WAPT agent checks the HTTPS server certificate according to the verify_cert value in section [global] in C:\Program Files (x86)\wapt\wapt-get.ini.

Options for verify_cert

Options for verify_cert

Working principle of the WAPT agent

verify_cert = 0

the WAPT agent will not check the WAPT Server HTTPS certificate

verify_cert = 1

the WAPT agent will check the WAPT Server HTTPS certificate using the certificate bundle C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem

verify_cert = C:\Program Files (x86)\wapt\ssl\srvwapt.mydomain.lan.crt

the WAPT agent will check the WAPT Server HTTPS certificate with the certificate bundle C:\Program Files (x86)\wapt\ssl\srvwapt.mydomain.lan.crt

Hint

To quickly and easily enable verification of the https certificate, you can use the Pinning method.

Pinning the certificate

The pinning of certificate consists of verifying the SSL/ TLS certificate with a well defined and restricted bundle.

Hint

This method is the easiest when using a self-signed certificate.

For this, you need to launch the following commands in the Windows cmd.exe shell (with elevated privileges if UAC is active).

If you already have a Windows cmd.exe shell open, close it and open a new shell so to take into account the updated environment variables:

wapt-get enable-check-certificate
net stop waptservice
net start waptservice

Validate the certificate with wapt-get update

When you have executed the update command, make sure that everything has gone well, and if in doubt check Problems when enabling enable-check-certificate.

Note

  • the command enable-check-certificate downloads the certificate srvwapt.mydomain.lan.crt in the folder C:\Program Files (x86)\WAPT\ssl\server;

  • it then modifies the file wapt-get.ini to specify the value verify_cert = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt;

  • the WAPT agent will now verify certificates using the pinned certificate;

Attention

If you use the certificate pinning method, be reminded to archive the /opt/wapt/waptserver/ssl folder on your WAPT Server.

The file will have to be restored on your server if you migrate or upgrade your WAPT Server, if you want the WAPT agents to continue to be able to establish trusted HTTPS connections.

How to use a commercial certificate or certificates provided by your organization?

If the pinning method does not suit you, you can replace the self-signed certificate generated during the installation of WAPT.

Replace the old certificate with the new one in the folder /opt/wapt/waptserver/ssl/ (linux) or c:\wapt\waptserver\ssl\ (windows).

The new key pair must be in PEM encoded Base64 format

Note

Special case where your certificate has been signed by an internal Certificate Authority

Certificates issued by an internal Certificate Authority must have the complete certificate chain up to the Certificate Authority’s certificate.

You can manually add the certificate chain up to the Certificate Authority to the certificate that will be used by Nginx.

Example: echo srvwapt.mydomain.lan.crt ca.crt > cert.pem

For linux servers it is also necessary to reset the ACLs:

#Debian:
chown root:www-data /opt/wapt/waptserver/ssl/*.pem

#Centos:
chown root:nginx /opt/wapt/waptserver/ssl/*.pem

  • restart Nginx to take into account the new certificates;

    • Linux:

      systemctl restart nginx

    • Windows:

      net stop waptnginx
net start waptnginx

Configuring the WAPT agent

For a commercial certificate you can set verify_cert = 1 in wapt-get.ini.

For a certificate issued by an internal Certificate Authority, you must place the certificate in the C:\Program Files (x86)\wapt\ssl\server\ca.crt folder and specify the certificate path in verify_cert in the agent’s wapt-get.ini.

To apply the new configuration to your entire fleet, you can regenerate a WAPT agent with the appropriate settings.

Verifying the certificate in the WAPT console

When the WAPT console first starts, it reads the content of C:\Program Files (x86)\WAPT\wapt-get.ini and it builds its configuration file C:\Users\admin\AppData\Local\waptconsole\waptconsole.ini.

This properly sets the verify_cert attribute for the HTTPS communication between the WAPT console and the WAPT Server.