Forum / Wayk Now - Bug Report

Second reboot may be required to enable TLS connections

  • Create an Issue
  • Cancel

On one Server 2016 system now, and one Windows 10 system a second reboot was required to get Wayknow to be able to establish a TLS connection so it would prompt for credentials and connect.

Clock2 yrs

Hi Pedro,

Just to clarify, you have tried the following:

1) Installed Wayk Now Unattended, rebooted, then tried connecting without success.
2) Rebooted a second time, then tried connecting, and this time it worked.

Can you clarify what error you encountered the first time? Also, are you connecting using Wayk Den or is it a direct connection with the hostname / IP address? I'm to determine if the problem is with the server TLS certificate generation, or with something else.


Best regards,

Marc-André Moreau

signaturesignature

Clock2 yrs

The first time the error is that it is unabl;e to establish a TLS connection

den is enabled but I'm going direct via DNS name

Clock2 yrs

I've also tried, and in some cases had to, remove the certificate & credentials from the cache and get them all over again.

Clock2 yrs

On a third server, second reboot did not fix the problem, attempt to repair the service hangs at stopping services (has happened two times now) and any attempt to manually stop the WaykNow service fails to complete with the service hung at 'stopping'

I'm on to my third reboot on this server now which does not make me a happy camper.

Clock2 yrs

Hi Pedro,

We have done some fixes today for the cases where the service is stuck when being stopped. Unfortunately, for the beta5, you will have to manually kill NowService.exe in the task manager.

As for the TLS issue, it is possible that the initial self-signed certificate generation fails because of missing directories. I will open a ticket so we can review this portion of the code to ensure that it creates the correct directories recursively before generating the self-signed certificate in the unattended mode. If you connect through the Wayk Den, it uses a different certificate, and we have definitely tested it on a machine that didn't have any of the Wayk directories created.

As a bonus for using the Wayk Den ID instead of the hostname, you get automated certificate validation with a real built-in certificate authority:
https://blog.devolutions.net/2018/09/insider-series-wayk-den-certificate-authority

I apologize for the inconvenience, this is why we are doing a beta program. Thank you for taking the time to test Wayk Now.

Best regards,

Marc-André Moreau

signaturesignature

Clock2 yrs

I would use waykden but thus far there's little to no documentation on it and I don't like the idea of anything about my servers being in the cloud where I don't have access to log in and control who may do what with that information and/or those connections. Steer me towards a user management console for it where I can configure my systems in it and I'll consider it, otherwise it's a no-go for me (and probably any other administrator with a security background)

Clock2 yrs

Hi Pedro,

You will be happy to learn that providing you with a secure management console where you are in control of your own machines is part of our long term plan. As for now, Wayk Den is only offered as a cloud service allowing simplified network connectivity using a 6 digit ID because there would be no product without such a feature to begin with.

I take note of your comments regarding the lack of information about the Wayk Den internals. I assure you that we take security very seriously, but as any conscious person would do, you need more than my reassurance. It is a complex topic to cover, but I will see how we can improve documentation on the security features built-in to Wayk Now and Wayk Den. We have nothing to hide, it's just a matter of explaining it better.


Best regards,

Marc-André Moreau

signaturesignature

Clock2 yrs

Well it's a moot point on this server at least, my 25TB JBOD just died so it's out of commission until Saturday.

The problem with using the WaykDen access code is having to know it before you connect to the machine inorder to do that you need to make sure your fire up wayknow and write it down and keep it somewhere that you'll remember it. Not such a good option. Again, being able to see the ID's associated with my machines, and manage how they can be connected to is a very high priority and honetsly something that every other vendor of similar products offers even on the free tiers.

Clock2 yrs

Hi Pedro,

I'm sorry about your server :/

As for the Wayk Den access code, we are well aware of this usability issue. For the moment, one has to login once to see what the code is in the Wayk Now UI, and it should normally remain the same.

We are currently putting a lot of effort in the unattended mode, but in parallel of this we have other people working on the portions that will make it possible to get initial support for listing machines associated with an account remotely. Right now, Wayk Now gets an ephemeral identity in the Wayk Den network, but in the future, it will be possible to login to Wayk Den using an account. This same account will then be used to authorize the listing of machines associated with the account.

I expect that once the unattended mode is stabilized, most customers will ask for what you are asking right now. We are planning to meet their demands smile

Best regards,

Marc-André Moreau

signaturesignature

Clock2 yrs

Some further information on this. If you reboot immediately after the install, that is from the prompt put out by the installation itself, then the second reboot is not required. If you delay the reboot, to allow applications to close, etc.. then the additional reboots are required.

Clock2 yrs

I hope to find some time today to figure this one out, but it may have to go to next week until we have a build with a proper fix. Today, we will work on sending a beta6 with the primary goal of disabling the "Wayk Now Remote Desktop Services" experimental component (not "Wayk Now Unattended Service") that some users have installed along with the "complete" installation option. Did you install this component by any chance? It should be removed as many users reported system instability with the recent Windows update, even though this experimental component has been in our installer for a year.

Marc-André Moreau

signaturesignature

Clock2 yrs

Yes I did install it, do I need to remove it before switching to beta 6? Or, if there are no other differences, can I just remove that component and save having to reboot everything again?

Clock2 yrs

You don't need to remove it before installing the beta6, the beta6 installer should remove it automatically for you. We did manage, however, to add a quick fix that could very well fix your multiple reboot issue. We found out on our side that the service can fail to start listening on TCP if networking is not yet available on startup. We added a quick fix in the service that will check and wait up to 15 seconds for the network to become available. We think that this problem did not affect the Wayk Den connectivity, which is why it kept happening very frequently for you and not everybody else.

Marc-André Moreau

signaturesignature

Clock2 yrs