4. FAQ - Agent Issues

4.1. I lost my WAPT private key

WAPT security and its correct functioning rely on sets of private keys and public certificates.

Losing a private key thus requires to generate a new key and its associated certificates, and then to deploy the new keys and the new certificates on the Organization’s computers.

Therefore, losing a key bears some consequences, the process to recover from a lost key is not trivial, although it is relatively simple.

4.1.1. Generating or renewing a private key

The procedure is:

  • Generate a new private key/ public certificate. You will then keep the private key (file .pem) in a safe location;

  • Deploy, manually, using a GPO or using an Ansible role (not documented), the new certificate .crt on your clients in the ssl folder.

    • C:\Program Files (x86)\ssl on Windows;

    • /opt/wapt/ssl on Linux and macOS.

4.1.2. Re-signing packages in the repositories

WAPT packages hosted on the repositories were signed using the former private key, so you MUST re-sign every package of the repository using the new key:

4.2. My private key has been stolen

Attention

WAPT security relies on protecting your private keys.

WAPT does not handle key revocation yet using a CRL.

The solution consists in deleting every .crt certificate associated to the stolen private key, located in the ssl folder:

  • C:\Program Files (x86)\ssl on Windows;

  • /opt/wapt/ssl on Linux and macOS.

That operation can be done using a GPO, manually, with a WAPT package or with an Ansible role (not documented).

Finally, you will have to follow the same steps as for the loss of your private key.

4.3. Problems with registering a host with WAPT

If you do a wapt-get register and it returns:

FATAL ERROR : ConnectionError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: /add_host

You need to check that the 443 port is correctly forwarded to the WAPT Server and not blocked by a firewall.

4.4. Windows does not wait for the network to be running on startup

By default Windows does not wait for the network to be up at computer startup.

This can cause problems during the WAPT Deployment utility execution because the WAPT Deployment utility requires network connectivity to retrieve the new WAPT Agent.

There are 2 solutions:

  1. We recommend adding waptdeploy.exe to the startup and shutdown scripts on the GPO.

  2. You can enable the GPO: Always wait for the network at computer startup and logon with Computer Configuration ‣ Administrative Templates ‣ System ‣ Logon ‣ Always wait for the network at computer startup and logon

GPO to wait network startup

GPO to wait network startup

4.5. The WAPT Exit utility will not launch

Despite the script actually being registered in the local security shutdown strategy, the waptexit script does not launch at computer shutdown.

4.5.1. Hybrid shutdown

Windows 10 hybrid shutdown MUST be disabled because it causes many problems and strange behaviors, disabling Hybrid Shutdown will restore the WAPT Exit script execution at shutdown.

Hybrid shutdown can be disabled by setting a value in wapt-get.ini file of the WAPT Agent.

It is possible to set this value when creating the WAPT Agent.

A WAPT package exists to solve the Hybrid Shutdown problem: tis-disable-hybrid-shutdown.

4.5.2. Windows Home edition

Local security policies are not available when using a Windows Home edition computer, so it is normal that the script will not launch.

The workaround consists in using a scheduled task that will launch C:\Program Files (x86)\wapt\wapt-get.exe with the argument upgrade.

4.5.3. Corrupted local GPO

It sometimes happens that local security policies on a computer are corrupted.

One of the possible solutions is to:

  • Remove local security strategies by deleting the file C:\Windows\System32\GroupPolicy\gpt.ini;

  • Restart the computer;

  • Re-install the shutdown scheduled tasks with:

wapt-get add-upgrade-shutdown

If the problem occurs again, this may mean that another application also manipulates the local GPO.

4.6. The WAPT Exit utility halts after 15 minutes and does not finish installing the WAPT packages

By default, Windows shutdown scripts are only allowed to run for 15 minutes.

If a script has not finished before that limit, Windows will interrupt the script.

To solve that problem, increase the pre_shutdown_timeout value and the max_gpo_script_wait value in the wapt-get.ini file of the WAPT Agent.

Define these values to change the default behavior.

max_gpo_script_wait = 360
pre_shutdown_timeout = 360

The WAPT package tis-wapt-conf-policy sets this configuration.

The other solution may be to use the GPO File.ini.

Using a GPO ini File to configured the script execution delay

Using a GPO ini File to configured the script execution delay