wh1te909 / winagent Goto Github PK

When installing TacticalRMM behind NAT and using our internal certificate authority the agent fails to install from the generated EXE or manual install scripts. By modifying the winagent*.py files and adding a verify=/path/to/staged/cert.pem we were able to get the agent installed. We also had to stage and install the salt-minion locally to make this work as adding the verify command seems to break the SSL connection to github when downloading the installer.

This is the error we got before modifying and rebuilding the agent:

2020-09-07 18:58:38,544 - installer - install - 171 - ERROR - HTTPSConnectionPool(host='api.tacticalrmm.domain.local', port=443): Max retries exceeded with url: /api/v1/token/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))
ERROR: Unable to contact the RMM. Please check your internet connection.

The modifications to the .py files, winagentfiles.zip, was simple and only involved adding the following to each requests.get/post/etc function. The cert is staged on the local system the agent is being installed on.

, verify='/tacticalrmm/ca.pem'

For example:

    try:
        r = requests.post(
            url, json.dumps(payload), headers=headers, timeout=15, verify='/tacticalrmm/ca.pem'
        )

Once we modified all of the .py files in winagent folder and rebuilt the agent this is the error we received when the salt-minion started installing:

2020-09-07 20:22:55,538 - installer - install - 204 - ERROR - HTTPSConnectionPool(host='github.com', port=443): Max retries exceeded with url: /wh1te909/winagent/raw/master/bin/salt-minion-setup.exe (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))
ERROR: Timed out trying to download the salt-minion

After staging the salt-minion installer we added a command line option for using it to the winagent executable:

winagent-v0.10.2.exe /VERYSILENT /SUPPRESSMSGBOXES && timeout /t 20 /nobreak > NUL && "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api "https://api.tacticalrmm.domain.local" --client-id 1 --site-id 1 --agent-type "workstation" --power 1 --rdp 1 --ping 1 --auth "" --local-salt "C:\tacticalrmm\salt-minion-setup.exe"

We did experiment with using python-certifi-win32 however it did not seem to work. The root domain ca is present on all systems in the Windows certificate store.

9/9/2020 EDIT - updated attached files removing a syntax error and removing the root CA cert from the requests function that downloads the salt installer.