Frequent problems

I have lost my SuperAdmin password

It sometimes happens to setup a WAPT Server and then forget its password.

To reset the WAPT console SuperAdmin password you have to relaunch the post-configuration process on the WAPT Server.

Reseting the WAPT Linux Server password

  • connect to the server with SSH;
  • connect with user root (or use sudo);
  • launch post-configuration script :
/opt/wapt/waptserver/scripts/postconf.sh

Attention

To avoid breaking the exisiting WAPT Server setup, accept all the other steps, DO NOT CREATE a new private key !

I lost my WAPT private key

WAPT’s security and its correct functionning rely on sets of private keys and public certificates.

Losing a private key thus requires to generate a new key and its associated certificates, and then to deploy the new keys and the new certificates on the Organization’s computers.

Therefore, losing a key bears some consequences, the process to recover from a lost key is not trivial, although it is relatively simple.

Generating or renewing a private key

The procedure is:

  • generate a new private key / public certificate. You will then keep the private key (file . pem) in a safe location;
  • deploy the new certificate .crt on your clients in the folder c:\programe files (x86)\ssl manually or using a GPO;

Re-signing packages in the repositories

WAPT packages hosted on the repositories were signed using the former private key, so you must re-sign every package of the repository using the new key.

To re-sign every WAPT packages using the new key (software packages and host packages), use the command:

wapt-get sign-packages c:\waptdev\*

My private key has been stolen

Attention

WAPT security relies on protecting their private keys.

WAPT does not handle key revocation yet (abbr:CRL (Certificate Revocation List)).

The solution consists in deleting every .crt certificate associated to the stolen private key, located in the c:\Program Files (x86)\wapt\ssl folder.

That operation can be done using a GPO, manually, or with a WAPT package.

My BIOS UUID bugs

  • some problems happen sometimes with some BIOSes. WAPT uses the UUID of the machine as their identifier;
  • the UUID is supposed to be unique. Unfortunately, for some OEM and some batches, BIOS UUID are identical;
  • the machine will register in the WAPT console but it will replace an existing device, considering that the machine has only changed its name;

Solving the BIOS UUID issue

WAPT allows to generate a random UUID to replace the one retrieved from the BIOS.

wapt-get generate-uuid

WAPTdeploy does not work

Symptoms

The waptdeploy utility does not succeed in installing the WAPT agent.

Solving the BIOS UUID issue

Adding the waptagent.exe url

Add waptsetupurl argument in WAPTdeploy GPO arguments of waptdeploy.

--waptsetupurl=https://monserverserveurwapt/waptagent.exe

Launching WAPTdeploy locally

Launching waptdeploy locally can be a good method for showing errors explicitly.

Example of command to launch:

C:\Program Files (x86)\wapt\waptdeploy.exe --hash=2a9971aad083d6822b6e4d1ccfb9886be9429ec58bb13246810ff3d6a56ce887 --minversion=1.4.2.0 --wait=15

In our case the hash is not correct.

waptdeploy error

Attention

Do not forget to start the command prompt as a Local Administrator.

WAPTdeploy works manually but does not work with GPO

Check that port 8088 is listening correctly on host:

gpresult /h gpo.html & gpo.html

To force the application of the GPO:

gpupdate /force

If waptdeploy does not show up you will have to double check the GPO settings.

You may be using an old waptdeploy version, download the latest version from here:

Windows does not wait for the network to be up on startup

By default Windows does not wait for the network to be up at computer startup.

This can cause problems during waptdeploy execution because it requires network connectivity to retrieve the new WAPT agent.

You can enable the GPO: Always wait for the network at computer startup and logon

Computer Configuration\Administrative Templates\System\Logon\**Always wait for the network at computer startup and logon**

GPO wait network startup

WAPT Exit will not launch

Despite the script actually being registered in the local security shutdown strategy, the waptexit script does not launch at computer shutdown.

Solution: Hybrid shutdown

Windows 10 hybrid shutdown must be disabled because it causes many problems and strange behaviors, disabling Hybrid Shutdown will restore exit script execution at shutdown.

Hybrid shutdown can be disabled by setting a value in wapt-get.ini file of WAPT agent : Settings for waptexit.

There is a WAPT package to solve the Hybrid Shutdown problem:

Solution: Windows Home edition

Local security policies are not available when using a Windows Home edition computer, so it is normal that the script will not launch. To circumvent the problem, use scheduled tasks.

The workaround consists in using a scheduled task that will launch C:\Program Files (x86)\wapt\wapt-get.exe with the argument upgrade.

Solving problems with corrupted local GPO

It sometimes occurs that local security policies on the computer are corrupted.

One of the possible solutions is to remove local security strategies by deleting the file C:\Windows\System32\GroupPolicy\gpt.ini, to restart the computer, and finally to re-install the shutdown scheduled tasks:

wapt-get add-upgrade-shutdown

If the problem occurs again, this may mean that another application also manipulates local GPO.

WAPTExit halts after 15 minutes and does not finish the installation of the package

By default with Windows, shutdown scripts can not run more than 15 minutes.

By default, Windows shutdown scripts are only allowed to run for 15 minutes. If a script has not finished before that limit, it will be interrupted.

Solving the BIOS UUID issue

To solve that problem, increase the preshutdowntimeout value and the max_gpo_script_wait value.

Define these values in C:\Program Files (x86)\wapt\wapt-get.ini file to change the default behavior.

max_gpo_script_wait=180
pre_shutdown_timeout=180

The WAPT package tis-wapt-conf-policy <https://store.wapt.fr/wapt/tis-wapt-conf-policy_6_all.wapt>`_ sets this configuration.

The other solution may be tu use the GPO :file:File.ini.

GPO Fichier INI

Error message when opening the WAPT console

Connection refused

The WAPT console can not contact the WAPT Server on port 443.

  • check whether the Nginx web service is running on the WAPT Server:
ps aux | grep nginx
  • if Nginx is not running, restart the Nginx service:
service nginx restart
  • if Nginx still does not start, you’ll need to analyze journal logs in /var/log/nginx/ on Linux or in C:\Program Files (x86)\wapt\waptserver\nginx\logs on Windows.

Service unavailable

It is possible that the waptserver service is stopped.

  • check whether waptserver is running:
ps aux | grep wapt
  • if the command returns nothing, then start the waptserver using:
service waptserver start

Error connecting with SSL … verify failed

The WAPT console seems not to be able to verify the server’s HTTPS certificate.

Attention

Warning, before doing anything, be sure that your are not facing a MITM attack!

Note

If you have just redone your WAPT Server and that you use a self-signed certificate, you can recover the old keys of your old WAPT Server in /opt/wapt/waptserver/apache/ssl.

  • close your WAPT console;
  • delete the folder %appdata%\..\Local\waptconsole;
  • launch the command: wapt-get enable-check-certificate;
  • be sure that the previous command has gone well;
  • restart the WAPT service: net stop waptservice && net start waptservice;
  • restart the WAPT console;

In case you do not use the certificate pinning method, this tells you that the certificate sent by the server can not be verified with the python certifi bundle of certificates. Be sure to have the full chain of certificates on the WAPT Server.

Problems when enabling enable-check-certificate

I have received the message “Certificate CN ### sent by server does not match URL host ###” when enabling enable-check-certificate.

This means that the CN in the certificate sent by the WAPT Server do not match the value of the wapt_server attribute in wapt-get.ini.

Two solutions:

  • check the value of wapt_server in your wapt-get.ini;

If the value is correct, this surely means that an error has happened during the generation of the self-signed certificate during server post-configuration (typing error, …).

You must then regenerate your self-signed certificates.

On the WAPT Server, delete the content of the /opt/wapt/waptserver/apache/ssl/ folder.

Then, relaunch the postconfiguration script (the same as the one used during initial installation, with the same arguments and values).

Then, be sure that the value of FQDN for the WAPT Server is correct.

You may now retry enable-check-certificate.

Problem when creating a package

Creating a package via the WAPT console

The drag and drop method of a software in the WAPT console does not work:

  • the method will not work if the WAPT console has been started without Local Administrator priviledge;
  • the method will not work if the WAPT console has been started with UAC;

Simple alternative solution: go to Tools ‣ Create a package template from an installer ‣ Choose the installer.

The WAPT console does not fill in automatically the informations in the fields:

  • there are special characters in some file path of the binary;
  • the installer does not provide the desired informations;

Problem with rights in the Windows Command Line utility

When editing a package, if the following message appears:

capture d'écran de l'invite de commande Windows affichant l'erreur : OperationnalError: attempt to write a readlony database

OperationnalError: attempt to write a readonly database

Solving the BIOS UUID issue

Open a session as Local Administrator and redo the desired action.

Problems with access rights and PyScripter

When trying to install a package from PyScripter, if the following message appears:

capture d'écran de Pyscripter affichant l'erreur : OperationnalError: attempt to write a readlony database

OperationnalError: attempt to write a readonly database

Solving the BIOS UUID issue

Open a session as Local Administrator and redo the desired action.

My WAPT package is too big and I can not upload it on the repository

When a package is too big, it is necessary to build it locally then upload it with WinSCP or an equivalent utility.

Solving the BIOS UUID issue

Build the package with PyScripter or manually: wapt-get build-package.

Hint

If the previous upload failed, you can find the package in c:\waptdev.

Downloading and installing WinSCP using WAPT:

wapt-get install tis-winscp

Using WinSCP, upload your package in /var/www/html/wapt/ path of you Linux server.

Once the upload has finished, you’ll need to recreate Packages index file on your repository:

/usr/bin/python /opt/wapt/wapt-scanpackages.py /var/www/wapt/

WAPT package in error

Problem installing a package

Symptoms

I have a package that returns in error and the software is not installed on the computer when I physically go to check on the computer.

Explication

An error has occured during the execution of the setup.py.

You can read and analyze error messages returned in the console and try to understand and solve them.

The installation of the package will be retried at each upgrade cycle until the package does not return an error.

Solving the BIOS UUID issue

  • if WAPT returns an error code, research the error code on the Internet;

Example for a MSI:

  • 1618: another installation in already running. Restarting the computer should solve the problem.

Note

MSI error codes are available by visiting https://msdn.microsoft.com/en-us/library/windows/desktop/aa372835.aspx.

  • go to the computer and try to install the package with the WAPT command line utility. Then check that the software has installed;

Attention

Once the silent installation has finished, do nothing else.

The objective is to reproduce the behavior of the WAPT agent.

  • if the package installs silently in user context, this may mean that the software installer does not work in SYSTEM context;
  • If it is still not working, launch the installation manually. It is possible for an error to appear explicitely describing the problem (ex: missing dependency, etc);
  • it is possib;le that the installer does not support installing over an older version of the software, so you will have to explicitely tell to uninstall older versions before installing the new one;

Error “timed out after seconds with output ‘600.0’”

Symptoms

Some packages return the following error in the WAPT console:

"Erreur timed out after seconds with output '600.0'"

Explication

By default, when installing a package run, install_msi_if_needed ou install_exe_if_needed), WAPT will wait 600 seconds for the installer to finish its task.

if the installer has not finished in this delay, WAPT will stop the running installation.

Solution: large software installs

If the software to be installed is known to be big (Microsoft Office, Solidworks, LibreOffice, Katia, Adobe Creative Suite), it is possible that the 600 second delay be too short.

You will have to increase the timeout value, ex: timeout=1200.

run('"setup.exe" /adminfile office2010noreboot.MSP',timeout=1200)

Error “has been installed but the uninstall key can not be found”

Symptoms

Some packages return the following error in the WAPT console:

has been installed but the uninstall key can not be found

Explication

WAPT relies on Windows to install MSI and EXE.

By default, WAPT accepts return codes 0 (OK) and 3010 (computer restart required) and it verifies that the uninstall key is present.

Unfortunately, we can not fully trust these return codes, so WAPT does additional checks after completing the installation to make sure that all has gone well:

  • it checks the presence of the uninstall key on the computer;
  • it checks that the version number of the software is equal or greater than the version number in the control file;
  • if this is not the case, it infers that the software may not be present on the computer;

The function returns the package in error. The installation will be retried at every upgrade cycle until the package returns no error.

Solving the BIOS UUID issue

Attention

Avant toute chose, il convient de se connecter sur la machine en erreur et de vérifier manuellement si le logiciel est correctement installé . Si ce n’est pas le cas, se référer à la partie problèmes d’installation.

  • if the software has installed correctly, this may mean that the uninstall key or the software version in the package is not correct;
  • retrieve the correct unistall key and make changes to the WAPT package accordingly;
  • if the error happens when using the install_msi_if_needed function, this means that the MSI installer is badly packaged that it returns an incorrect uninstall key;

Error “has been installed and the uninstall key found but version is not good”

Symptoms

Some packages return the following error in the WAPT console:

has been installed and the uninstall key found but version is not good

Explication

When using install_msi_if_needed or install_exe_if_needed functions, additional checks are performed to make sure that all has gone well.

Solving the BIOS UUID issue

Attention

Before doing anything, it is advisable to go physically to the computer returning in error and to manually check whether the software has correctly installed. If the software has not installed correctly, refer to the “Problem installing a package” section of this documentation.

Solution: with install_msi_if_needed

The informations being extracted from the MSI installer, this means that the MSI file does not return correct values or that the uninstall key is incorrect.

You can check using the Windows Command Line utility:

wapt-get list-registry

If the returned key is not that which has been entered in the install section of the setup.py, it is not possible to use the function install_msi_if_needed.

You must review the install section of your setup.py, use the run() function and manually manage exceptions.

Solution: with install_exe_if_needed

This probably means that the version number entered in the install_exe_if_needed function is not correct. Make corrections to the WAPT package accordingly.

Note

If the min_version argument has not been entered, WAPT will try to retrieve the version automatically from the exe installer.

You can check the uninstall key and version number using the command:

wapt-get list-registry

If no version is provided with the wapt-get list-registry command, this means that the software installer does not provide an uninstall key.

Two solutions:

  • use the argument get_version to provide the path to another uninstallkey:
def install():

        def versnaps2(key):
                return key['name'].replace('NAPS2 ','')

        install_exe_if_needed('naps2-5.3.3-setup.exe',silentflags='/VERYSILENT',key='NAPS2 (Not Another PDF Scanner 2)_is1',get_version=versnaps2)
  • providing an empty value for min_version tells WAPT not to check for versions;
min_version=' '

Attention

With this method, versions are no longer checked during updates!

Problèmes fréquents liés aux Antivirus

Certains Antivirus lèvent des alertes pour des composants de WAPT.

Parmis ceux-ci le logiciel nssm.exe utilisé par WAPT comme utilitaire de service pour l’agent WAPT.

Voici une liste des exceptions possibles à déclarer dans votre interface de gestion centralisé antivirus :

"C:\Program Files (x86)\wapt\waptservice\win32\nssm.exe"
"C:\Program Files (x86)\wapt\waptservice\win64\nssm.exe"
"C:\Program Files (x86)\wapt\waptagent.exe"
"C:\Program Files (x86)\wapt\waptconsole.exe"
"C:\Program Files (x86)\wapt\waptexit.exe"

"C:\wapt\waptservice\win32\nssm.exe"
"C:\wapt\waptservice\win64\nssm.exe"
"C:\wapt\waptagent.exe"
"C:\wapt\waptconsole.exe"
"C:\wapt\waptexit.exe"