3. FAQ - Console Issues¶
3.1. My certificate don’t work on the machine¶
You are trying to update, send a message, or add a package, but you encounter the following error:
Error on client: EWaptCertificateUntrustedIssuer(‘Issuer CA certificate CN=XXXX,C=FR can not be found in supplied bundle’)
Or this picture :
How to Troubleshoot:
Check the Certificate:
Ensure the certificate used by your console is valid and recognized by the target machine.
Go to Tools > Preferences and verify the “Path to personal certificate”.
Verify Machine’s Trusted Certificates:
On the target machine, open the “Certificates” tab.
Confirm that your certificate (or its signing authority) is listed as trusted.
Resolve Certificate Issues:
If your certificate is not trusted, have it signed by a certificate authority (CA) already approved by the machine.
You need to create a certificate package and sign it with a certificate already approved by the machine.
Follow the signing procedure as described in the video guide: https://www.youtube.com/watch?v=mdUcQSdPqQ4.
Retry the Operation:
After ensuring the certificate is trusted, attempt the update, message, or package addition again.
3.2. Error message about package on the WAPT Console¶
3.2.1. Error “File setup.py is not allowed in manifest of xxx”¶
This error means that the certificate currently in use does not have the authority to sign packages.
The only two options available are:
1- Use a different certificate with code-signing rights.
2- Regenerate a certificate by selecting the option code signing (information for build certificate here).
Code signing for certificate¶
3.2.2. Error when uploading package¶
Window showing that the uploaded package has signer certificate issue¶
The WAPT Console shows this error : Error when uploading package : EWaptForbidden('Host matching package UUID_HOST does not trusted signer certificate).
You have this error when you try to upload a WAPT package but the used certificate which signed package is not present in your computer’s ssl WAPT install location folder. Be reminded, if you have a WAPT Server running on Windows to not lauch the WAPT Console on the server. Add the WAPT certificate which signed the package in your computer’s ssl WAPT install location folder then retry.
3.2.3. Error locale¶
Window showing that the WAPT Console does not find a package¶
The WAPT Console shows this error in two situations.
3.2.3.1. Package does not exist in the repository anymore, yet a host needs it¶
There are two possible solutions:
Try to get package anew from Tranquil IT’s store.
Delete the package from the host dependencies.
3.2.3.2. When you try to install a package with a locale that is unknown to the host¶
There are two possible solutions:
Download the WAPT package having the matching locale from Tranquil IT’s store.
Edit your WAPT package and set in the
controlfile the optionlocalewith the correct locale (locale=en,fr).
3.3. Error message when opening the WAPT Console¶
3.3.1. Version check¶
The WAPT Console version is not the same as the version of the WAPT Server. Upgrading the WAPT Console to the same version of the WAPT Server is the recommanded course of action.
3.3.2. Connection refused¶
The WAPT Console can not contact the WAPT Server on port 443:
Check whether the Nginx web service is running on the WAPT Server.
systemctl status nginx
If Nginx is not running, restart the Nginx service.
systemctl restart nginx
If Nginx still does not start, you will need to analyze the journal logs in:
/var/log/nginx/on Linux;C:\Program Files (x86)\wapt\waptserver\nginx\logson Windows.
3.3.4. Error connecting with SSL … verify failed¶
The WAPT Console seems not to be able to verify the WAPT Server’s HTTPS certificate.
Attention
Before doing anything, be sure that your are not facing a MITM attack!
Note
If you have just rebuilt your WAPT Server and that you use a self-signed certificate, you can recover the old keys of your old WAPT Server in /opt/wapt/waptserver/apache/ssl.
Close your WAPT Console.
Delete the folder
%appdata%\..\Local\waptconsole.Launch the command
wapt-get enable-check-certificate.Be sure that the previous command has gone well.
Restart the WAPT service with
net stop waptservice && net start waptservice.Restart the WAPT Console.
In case you do not use the certificate pinning method, this tells you that the certificate sent by the WAPT Server can not be verified with the python certifi bundle of certificates. Be sure to have the full chain of certificates on the WAPT Server.
3.3.5. I can’t do anything in the WAPT Console, everything is greyed¶
The WAPT Console seems locked, you can not execute any action, everything is greyed.
If you are connected with another user than the Superadmin, the ACL rules applied to your profile may not be set properly.
To fix this, close the WAPT Console and open it with the Superadmin account. Then, go to . Here, you will see the user in the list, give the user the appropriate permissions, then save and close the WAPT Console. Re-open the WAPT Console using your login.
3.4. Managing the location of machines in WAPT: Updating the Organisation Unit (OU)¶
The WAPT server does not automatically determine the location of a newly deployed machine. This information is transmitted by the WAPT agent (installed on the machine) to the server, based on the data available at the time of communication.
The key on the machine is here : HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachineDistinguished-Name
Case of a machine moved to a new OU
If the machine has not yet received the information indicating that it belongs to a new OU, it transmits to the WAPT server the location that it knows at that time (generally the old OU).
To check the location known by the machine :
In the WAPT console, identify the machine concerned.
Go to the Hardware Inventory tab.
Look for the key computer_ad_dn its value corresponds to the location (OU) that the machine has communicated to the server.
How to correct the location of the machine
If the value of computer_ad_dn corresponds to the old OU, there are two solutions for forcing the update:
Via the command prompt:
Run the following command on the machine:
gpupdate /forceVia the WAPT console:
Select the workstation concerned.
Right-click > Windows Computer Management.
Choose Update AD Group Policies on hosts.
Once the update has been performed, the machine should appear in the new OU in the WAPT inventory.
3.5. Duplicate or Legacy Windows Update KBs Displayed in WAPT¶
Then, choose the certificate to associate to the user.
You may notice that a Windows 11 device running version 25H2 displays cumulative updates intended for earlier releases such as 22H2, 23H2, or 24H2 in the Windows Updates tab of the WAPT Console. At first glance, this may suggest that updates for older Windows versions are being installed on the device. Fortunately, this is not the case.
Microsoft is aware of this behavior and has acknowledged it in their support forums, although the issue has not yet been resolved:
Microsoft discussion: https://learn.microsoft.com/en-us/answers/questions/2157261/duplicate-cumulative-kb-windows-11-update-returns
The information displayed in the Windows Updates tab comes directly from the native Windows Update Agent and is not modified by WAPT. WAPT intentionally preserves the original data returned by Windows Update so that administrators can work with the information exactly as provided by Microsoft.
While the presence of duplicate or legacy-version KBs can make the update list more difficult to read, this is purely a display issue. It does not affect the update installation process. Windows Update will only install the cumulative update that matches the operating system version running on the device. For example, on a Windows 11 25H2 system, only the KB package intended for 25H2 will be installed, even if updates targeting 22H2, 23H2, or 24H2 are also listed in the console.
To verify which updates are actually installed on a device, you can use the following PowerShell command:
Get-Hotfix