topic Expedition Updates with SSL Inspection in Expedition Discussions https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-updates-with-ssl-inspection/m-p/233413#M593 <P>I ran into issues updating Expedition through my PAN Firewall running SSL decryption.</P> <P>&nbsp;</P> <P>After a bit of troubleshooting there are two changes I needed to make on the expedition VM.</P> <P>&nbsp;</P> <OL> <LI>&nbsp;Update cert file with your SSL Decrypt cert - This allows apt to trust your SSL decryption certificate <OL> <LI>Export the Root CA that signed your SSL cert in base64/PEM format</LI> <LI>Append the raw text of that SSL Cert to&nbsp;/etc/ssl/certs/ca-certificates.crt</LI> </OL> </LI> <LI>Configure PIP to use that certificate Store - This tells pip to read your SSL certificate store <OL> <LI>create /etc/pip.conf and add the following configuration <PRE>[global] cert = /etc/ssl/certs/ca-certificates.crt</PRE> </LI> </OL> </LI> </OL> <P>I also needed to allow this system to download EXE's from the Internet, once PIP started trusting my decryption certificate, I discovered that PIP is downloading EXE's(normally for windows) as part of its script for some reason and this was causing it to throw errors.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 02 Oct 2018 19:50:38 GMT DavidNestler 2018-10-02T19:50:38Z Expedition Updates with SSL Inspection https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-updates-with-ssl-inspection/m-p/233413#M593 <P>I ran into issues updating Expedition through my PAN Firewall running SSL decryption.</P> <P>&nbsp;</P> <P>After a bit of troubleshooting there are two changes I needed to make on the expedition VM.</P> <P>&nbsp;</P> <OL> <LI>&nbsp;Update cert file with your SSL Decrypt cert - This allows apt to trust your SSL decryption certificate <OL> <LI>Export the Root CA that signed your SSL cert in base64/PEM format</LI> <LI>Append the raw text of that SSL Cert to&nbsp;/etc/ssl/certs/ca-certificates.crt</LI> </OL> </LI> <LI>Configure PIP to use that certificate Store - This tells pip to read your SSL certificate store <OL> <LI>create /etc/pip.conf and add the following configuration <PRE>[global] cert = /etc/ssl/certs/ca-certificates.crt</PRE> </LI> </OL> </LI> </OL> <P>I also needed to allow this system to download EXE's from the Internet, once PIP started trusting my decryption certificate, I discovered that PIP is downloading EXE's(normally for windows) as part of its script for some reason and this was causing it to throw errors.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 02 Oct 2018 19:50:38 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-updates-with-ssl-inspection/m-p/233413#M593 DavidNestler 2018-10-02T19:50:38Z