WPK upgrade root CA expires on September 6, 2022

[vikman90]

Wazuh version	Component	Install type	Install method	Platform	Source
3.0.0 to 4.3.7	Agent upgrade	Agent	WPK packages	Linux, Windows & macOS	#14558

WPK packages are signed by an X.509 certificate issued by Wazuh. When agents receive a WPK file, they first validate the certificate against the root CA, which comes installed along with the agent (/var/ossec/etc/wpk_root.pem).

Such root CA certificate is expiring on September 6th at 14:47:13 GMT:

$ openssl x509 -enddate -noout -in /var/ossec/etc/wpk_root.pem
notAfter=Sep  6 14:47:13 2022 GMT

Impact

After that time, agents between versions 3.0.0 to 4.3.7 will reject currently released WPK packages, making it impossible to upgrade to any version using WPK method.

Version scope

• Agents at version 4.3.8 or above won't require any action to do WPK upgrades.
• Agents from 3.0.0 to 4.3.7 need to follow the steps below.

Action plan

1. Wazuh team will update the root CA certificate as of version 4.3.8 (Update WPK upgrade root CA certificate #14842).
2. On September 7th, we will release re-signed WPK packages from 3.6.0 to 4.3.7, keeping the expired root CA.
3. Users will need to install the new root CA into their agents, from version 3.0.0 to 4.3.7.

How to renew the certificate

In order for 3.0.0 - 4.3.7 agents to continue receiving WPK upgrades, users must install the new root CA. Note that agents 3.6.0 - 4.3.7 will include the old root CA, so they will overwrite the file back if we use the same name.

1. Download the new root CA (wpk_root.pem).
2. Copy the file into your agent's etc folder, with a different name. For instance, wpk_root_2022.pem.
3. Add a new <ca_store> stanza to the agent configuration (etc/ossec.conf), with the new file.
4. Restart the agent.

Example

1. Download and install the new root CA:

curl -o /var/ossec/etc/wpk_root_2022.pem https://raw.githubusercontent.com/wazuh/wazuh/00718e3720d127c44d73d7c9b093d90a918790a0/etc/wpk_root.pem

2. Set up the new root CA, in addition to the current one (/var/ossec/etc/ossec.conf):

<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <ca_store>etc/wpk_root.pem</ca_store>
    <ca_store>etc/wpk_root_2022.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>
</ossec_config>

3. Restart your agent:

service wazuh-agent restart

[okynos]

Public Cert 4.0.2+ (about to expire):
MIIDCjCCAfICCQCPB96AooZwbTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB

Public Cert 4.4.0+ (new one):
MIIDazCCAlMCExAWKTOtkuPTEEP8Dv6Nv9CnoXwwDQYJKoZIhvcNAQELBQAwcjEL

Way to check it head -c100 wazuh_agent_vx.x.x_system_arch.wpk

[jjrbg]

Should it be possible to push out the new 2022 cert and associated ca_store setting to all agents via centralised config?

I've tried and failed, but I'm not sure if it's because it is blocked intentionally, or because I've made an error!

I dropped wpk_root_2022.pem into /var/ossec/shared/default on the manager, which appears in C:\Program Files (x86)\ossec-agent\shared without any issue.

This is my change to agent.conf...

<agent_config name="TestAgent">
  <active-response>
    <ca_store>%PROGRAMFILES(x86)%\ossec-agent\shared\wpk_root_2022.pem</ca_store>
  </active-response>
</agent_config>

But the agent rejects the remote upgrade attempt...

2022/08/30 15:30:28 ossec-agent[1496] signature.c:292 at wpk_verify_cert(): DEBUG: Certificate couldn't be verified by CA 'wpk_root.pem': unable to get local issuer certificate (20)
2022/08/30 15:30:28 ossec-agent[1496] signature.c:68 at w_wpk_unsign(): ERROR: Error verifying WPK certificate.
2022/08/30 15:30:28 ossec-agent[1496] wcom.c:782 at _unsign(): ERROR: At unsign: Couldn't unsign package file 'incoming\wazuh_agent_v3.13.2_windows.wpk'

My guess is the ca_store setting is either not configurable via centralised config intentionally as this would allow a way to bypass the code signing feature? Or this is not working as it's not possible to overwrite the ca_store setting already present in the "local" ossec.conf on the agent?

We have a challenge where we are monitoring a 10000+ agents, without having administrative privileges to the agent systems, which will be unupgradable after next week! 😱

James

[vikman90]

@jjrbg I'm afraid that the <ca_store> option is valid in ossec.conf only. That precisely helps to trust the manager.

You can place the root CA file in the shared folder, but <ca_store> needs to be declared in the agent.

We do apologize for the inconvenience.
Best regards.

[jctello]

@vikman90 in step 2 of your instructions on how to renew the certificate, shouldn't the configuration be in <agent-upgrade> instead of <active-response>?

That is:

<ossec_config>
  <agent-upgrade>
    <ca_verification>
        <enabled>yes</enabled>
        <ca_store>etc/wpk_root.pem</ca_store>
        <ca_store>etc/wpk_root_2022.pem</ca_store>
    </ca_verification>
  </agent-upgrade>
</ossec_config>

For reference: https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/install-custom-wpk.html

[vikman90]

@jctello both are valid. <agent-upgrade> is new in 4.1.0, while <ca_store> inside <active-response> is compatible from 3.0.0.

Reference: User manual / Reference / Local configuration (ossec.conf) / active-response.

[subascha]

Hi,

for me the easiest way to resolve this issue is to replace the wpk_root.pem via group policy.

No agent restart needed. Just replace the file via group policy wait for gpo deployment cycles and run agent_upgrade command without any problems.

Did this for round about 40 wazuh-agents in our domain.

Best regards

[dami-nicastro]

Hi @vikman90
I hope you are fine.
I would need to know for how long this new WPK certificate is valid.
Will we need to change this certificate again in a future upgrade of the agents?
Thanks

[sultanovich]

Hi @dami-nicastro , the new certificate is Valid To: August 17, 2027

[vikman90]

@dami-nicastro No, you won't need to change the certificate again. We've set up an internal calendar to update it in 4 years. We will probably add a folder to contain multiple CAs, so the agent will support both current and future WPKs.

However, we may change the WPK mechanism in wazuh/wazuh-packages#1853.

Best regards.