topic Re: PANOS 8.0.0 EDL requires certificate in General Topics

PANOS 8.0.0 EDL requires certificate

luks — Fri, 03 Feb 2017 18:27:37 GMT

Hey guys,

Just set up Minemeld, upgraded to PANOS 8.0.0, running into an issue with seeting up the EDL, the source (https://minemeld.local/feeds/inboundfeedhc) being HTTPS, PANOS now requires a certificate profile for the communication to work - what shpuld be configured there, and what -if anything- on the minemeld server?

Great tool by the way!

Cheers,

Luk

Re: PANOS 8.0.0 EDL requires certificate

lmori — Fri, 03 Feb 2017 18:38:44 GMT

Hi @luks,

the default MineMeld certificate is self-signed and won't work with PAN-OS 8.0. You should:

- create a new certificate signed by a CA

- copy the full certificate chain in /etc/nginx/minemeld.cer and the private key in /etc/nginx/minemeld.pem

- reload nginx config (sudo service nginx reload)

- use the CA public certificate in PAN-OS 8.0 Certificate Profile

If you don't have an internal CA, a quick fix is the script here:

https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da

There are instructions in the comment at the end of the script on how to use it. The script automatically generates a new CA, creates and signs a certificate for MineMeld Webui, moves the files in their places, and destroys the CA private key to eliminate the risk of the CA becoming compromised. At the end of the script you can take the generated CA.crt file and use it inside the PAN-OS 8.0 Certificate Profile.

Re: PANOS 8.0.0 EDL requires certificate

luks — Fri, 03 Feb 2017 19:34:32 GMT

Thanks for the quick reply!

Ok i got that done, got the PEM key and then followed these instructions to split the key (https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/101331) .

so I end up with these files

-rw-r--r-- 1 luks luks 2791 Feb 3 19:52 cert_minemeld.pem

-rw-r--r-- 1 root root 1025 Feb 3 20:19 minemeld.cer

-rw-r--r-- 1 root root 1766 Feb 3 20:19 minemeld1.cer

Doing the following works, but I still get the URL Access error on my Palo Alto firewall (PS/ etc/nginx/minemeld/ directory doesn't exist so I just used /etc/nginx). I am using the right certificate in the profile on the ELD.

[minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
[minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out /etc/ngnix/minemeld/minemeld.pem
[minemeld ~]$ sudo service nginx restart

I think I'm doing something wrong on the NGINX part?

Thanks again for the help,

Luk

Re: PANOS 8.0.0 EDL requires certificate

luks — Fri, 03 Feb 2017 19:56:26 GMT

I found it, it was a routing issue (service route configuration needed to be changed)

DUH!

it's working now, thanks agan!

Luk

Re: PANOS 8.0.0 EDL requires certificate

gafrol — Thu, 09 Feb 2017 15:57:30 GMT

I am having diffilculties with the Certificate Profile. In the System logs I see an error regarding the EDL Server authentication being failed.

"Reason: unable to get local issuer certificat"

I already created a CertProfile with the CA Cert of the MineMeld Server. Configured my EDL with the appropriate Cert Profile. Am I a missing something ?

Thanks

Roland

Re: PANOS 8.0.0 EDL requires certificate

lmori — Wed, 15 Feb 2017 09:56:59 GMT

Hi @gafrol,

have you already generated a new certificate for MineMeld ? The default certificate on MineMeld is self-signed and it can't be used in a Certificate Profile.

An easy way to generate a new certificate is:

ssh into the MineMeld instance
type the following commands

$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh
$ chmod a+x generate-certificate.sh
$ sudo ./generate-certificate.sh <minemeld ip address>

at the end of the operation above the MineMeld WebUI has a new certificate and you can grab the CA certificate from the browser or from the file CA.crt in the directory where you typed the commands

If you want to check the details of the script check this gist here:

https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da

Re: PANOS 8.0.0 EDL requires certificate

gafrol — Tue, 14 Feb 2017 10:09:33 GMT

We are using an official certificate for our MineMeld install. Just had to add the intermediate SSL cert to the Cert Profile. Now it is working.

thanks

Roland

Re: PANOS 8.0.0 EDL requires certificate

lmori — Wed, 15 Feb 2017 09:57:45 GMT

@gafrol, using a valid certificate is a far better solution !

Re: PANOS 8.0.0 EDL requires certificate

gafrol — Wed, 15 Feb 2017 10:07:12 GMT

Absolutely, we provide MineMeld as a Service (running in our Datacenter) to our PAN FW customers. So a commercial certificate is a must. It is working like a charm now .

Rgds

Roland

Re: PANOS 8.0.0 EDL requires certificate

ausafali88 — Thu, 12 Oct 2017 08:58:36 GMT

I have followed your outlined procedure...but still i get this output:

admin@PA-VM> request system external-list show type domain name sdfsdfsdf

vsys1/sdfsdfsdf:
Next update at : Thu Oct 12 02:00:39 2017
Source : https://192.168.122.231/feeds/Domain-Output
Referenced : Yes
Valid : Yes
Auth-Valid : Yes
Total invalid entries : 1
Valid domains:
Failed binding local connection end

All certificates are imported and nginx restarted....even CA certificate trusted in Firefox browser gives a cert error....

Please can anyone tell whats the issue?

Re: PANOS 8.0.0 EDL requires certificate

Sanssj — Mon, 03 Sep 2018 19:52:56 GMT

Hi @lmori what the apoarch for certificate profile in Pan-8.0 if you are using Minemeld hosted by the Autofocus. the problem in my case is the miners are working but the FW is not able to access those Dynamic list. is there any tech doc to regenerate certificate on the Minemeld hosted on Autofocus.

Thanks

Re: PANOS 8.0.0 EDL requires certificate

xhoms — Tue, 04 Sep 2018 10:29:24 GMT

Hi @Sanssj,

is the article https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-Dynamic-Lists/ta-p/190414 the documentation you're looking for?

Re: PANOS 8.0.0 EDL requires certificate

Todd_Benshoof — Mon, 10 Jun 2019 20:55:52 GMT

I have done everything in this feed and "How to Generate New MineMeld HTTPS Cert". This is what I get:

'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: XXXXXXXXX, EDL Source URL: https://XXXXXXXXXXX.com/feeds/inboundfeedhc, CN: XXXXXXXXXX, Reason: SSL peer certificate or SSH remote key was not OK'

I created a self-signed CA. Created a certificate from that CA and imported it into my Minemeld server.