topic Re: Cortex XDR Pro on Linux Mint in Cortex XDR Discussions

Cortex XDR Pro on Linux Mint

ianatgrafton — Wed, 24 Mar 2021 14:41:55 GMT

I am having an issue with an installation of XDR on Linux Mint 20.

I found this post with no resolution and one of the comments from @MartinSauer suggests someone else was seeing the same issue.

LIVEcommunity - ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed - LIVEcommunity - 317055 (paloaltonetworks.com)

In the trapsd.log I can see the error:

{trapsd:Communication:Heartbeat:Scheduled:https://distributions.traps.paloaltonetworks.com/operations/provision/register-url/<dist-id>} HTTP request failed due to an SSL error (0): SSL Exception: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

If I curl that URI it connects fine and I can see the TLS handshake and TLS v1.2 is used, it returns a status 200 message and a resource URI, similarly, if I browse to the URI using Firefox ESR I get a valid response with a resource URI with no certificate errors.

Why cant the XDR Agent validate the cert and is this limited to an issue with Linux Mint 20?

Support are driving me mad and keep telling me its a certificate issue asking me to install certificates which I have demonstrated are installed.

Has anybody else come across this?

Re: Cortex XDR Pro on Linux Mint

ianatgrafton — Fri, 26 Mar 2021 09:27:58 GMT

So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.

Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain. You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com

I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.

Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.

Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)

At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .

Re: Cortex XDR Pro on Linux Mint

jasonroy — Fri, 23 Jun 2023 15:41:39 GMT

Ubuntu is Cortex XDR supported:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Linux

Linux Mint 21.1 "Vera" is basically a fork of Ubuntu 22.04 "jammy" with some changes:

$cat /etc/upstream-release/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu Jammy Jellyfish"

Except Cortex XDR is looking at /etc/lsb-release and not the upstream and will generate this error and not be able to figure out what to do with CA certificates it wants to add:

{trapsd:Communication:Startup:} Could not resolve CA certificates bundle path, unrecognized Linux distribution

You can work-around this:

sudo cp -av /etc/release-lsb /etc/release-lsb.orig ; sudo ln -s ./upstream-release/lsb-release /etc

Now it will be happy with the Linux distribution detection and add the CA certificate properly.

To remove this work-around, just restore the original file:

sudo rm /etc/lsb-release ; sudo cp -av /etc/release-lsb.orig /etc/release-lsb

After this fix, a SSL error most likely points to SSL decryption somewhere along the way. Either configure PAN FW to not decrypt Traps traffic, or add the CA for the decryption PAN FW to the OS certificate store:

To add:
1. Copy your CA to ls /usr/local/share/ca-certificates/
2. Use command: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
3. Update the CA store: sudo update-ca-certificates
To remove:
1. Remove your CA: rm /usr/local/share/ca-certificates/foo.crt
2. Update the CA store: sudo update-ca-certificates --fresh