New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WPK upgrade root CA expires on September 6, 2022 #14715
Comments
Public Cert 4.0.2+ (about to expire): Public Cert 4.4.0+ (new one): Way to check it |
Should it be possible to push out the new 2022 cert and associated ca_store setting to all agents via centralised config? I've tried and failed, but I'm not sure if it's because it is blocked intentionally, or because I've made an error! I dropped wpk_root_2022.pem into /var/ossec/shared/default on the manager, which appears in C:\Program Files (x86)\ossec-agent\shared without any issue. This is my change to agent.conf... <agent_config name="TestAgent">
<active-response>
<ca_store>%PROGRAMFILES(x86)%\ossec-agent\shared\wpk_root_2022.pem</ca_store>
</active-response>
</agent_config> But the agent rejects the remote upgrade attempt...
My guess is the ca_store setting is either not configurable via centralised config intentionally as this would allow a way to bypass the code signing feature? Or this is not working as it's not possible to overwrite the ca_store setting already present in the "local" ossec.conf on the agent? We have a challenge where we are monitoring a 10000+ agents, without having administrative privileges to the agent systems, which will be unupgradable after next week! 😱 James |
@jjrbg I'm afraid that the You can place the root CA file in the shared folder, but We do apologize for the inconvenience. |
@vikman90 in step 2 of your instructions on how to renew the certificate, shouldn't the configuration be in That is:
For reference: https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/install-custom-wpk.html |
@jctello both are valid. Reference: User manual / Reference / Local configuration (ossec.conf) / active-response. |
Hi, for me the easiest way to resolve this issue is to replace the wpk_root.pem via group policy. No agent restart needed. Just replace the file via group policy wait for gpo deployment cycles and run agent_upgrade command without any problems. Did this for round about 40 wazuh-agents in our domain. Best regards |
Hi @vikman90 |
Hi @dami-nicastro , the new certificate is Valid To: |
@dami-nicastro No, you won't need to change the certificate again. We've set up an internal calendar to update it in 4 years. We will probably add a folder to contain multiple CAs, so the agent will support both current and future WPKs. However, we may change the WPK mechanism in wazuh/wazuh-packages#1853. Best regards. |
WPK packages are signed by an X.509 certificate issued by Wazuh. When agents receive a WPK file, they first validate the certificate against the root CA, which comes installed along with the agent (/var/ossec/etc/wpk_root.pem).
Such root CA certificate is expiring on September 6th at 14:47:13 GMT:
Impact
After that time, agents between versions 3.0.0 to 4.3.7 will reject currently released WPK packages, making it impossible to upgrade to any version using WPK method.
Version scope
Action plan
How to renew the certificate
In order for 3.0.0 - 4.3.7 agents to continue receiving WPK upgrades, users must install the new root CA. Note that agents 3.6.0 - 4.3.7 will include the old root CA, so they will overwrite the file back if we use the same name.
wpk_root_2022.pem
.<ca_store>
stanza to the agent configuration (etc/ossec.conf), with the new file.Example
The text was updated successfully, but these errors were encountered: