topic Re: Minemeld SSL Certificates in General Topics

Minemeld SSL Certificates

apackard — Tue, 13 Sep 2016 16:43:52 GMT

Hi - 2 questions:-

> How do we change the default SSL certificate on Minemeld? Standard Apache cert replacement?

> If we have a custom source running SSL with a self-signed cert, can we force a HTTPS miner to ignore the cert error?

Thanks!

Re: Minemeld SSL Certificates

lmori — Tue, 13 Sep 2016 16:54:47 GMT

Hi apackard,

How to change certs

Certificate is served by nginx and stored in /etc/nginx/minemeld.cer (certificate) /etc/nginx/minemeld.pem (private key). You can stop nginx ("sudo service nginx stop"), replace the files with a valid certificate and private key and restart nginx ("sudo service nginx start").

Ignore cert errors

Sure, this is usually done with the prototype. Which Miner are you using ?

Thanks.

Re: Minemeld SSL Certificates

apackard — Wed, 14 Sep 2016 10:06:16 GMT

Thanks very much - half asleep on the Apache\ngix mixup..!

I created a new miner and used the following prototype as a template: - minemeld.ft.http.HttpFT

attributes

application: http

confidence: 100

direction: inbound

share_level: green

type: IPv4

source_name

mm.ciuthreatintel

url

https://<internal_FQDN>:8787/pa-dbl.txt

I can see polling errors being reported under the Statistics UI page but can't find where they are actually logged - looking again with fresh eyes I see I have set the application attribute to http.

On that subject is there any documentation on these attributes, they mostly seem obvious but I'm not sure on some of them?

Many Thanks

Re: Minemeld SSL Certificates

lmori — Thu, 15 Sep 2016 06:49:55 GMT

@apackard Look for the file /opt/minemeld/log/minemeld-engine.log and search inside it for the name of your node. Attributes looks correct, could you paste the full YAML config of the prototype (removing the confidential part of it) ?

Thanks !

luigi

Re: Minemeld SSL Certificates

apackard — Thu, 15 Sep 2016 10:43:52 GMT

Thanks Luigi.

Pertinent error log entry:-

Exception in polling loop for CIU_Threatintel_Droplist: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

And the YAML:-

#####@#####:/opt/minemeld/prototypes/0.9.20$ cat minemeldlocal.yml
author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
CIU Threatintel Droplist:
class: minemeld.ft.http.HttpFT
config:
attributes:
application: http
confidence: 100
direction: inbound
share_level: green
type: IPv4
source_name: mm.ciuthreatintel
url: https://##########:8787/pa-dbl.txt
description: #####\ThreatStream moderated IP blocklist
development_status: STABLE
node_type: miner

Re: Minemeld SSL Certificates

lmori — Thu, 15 Sep 2016 11:20:26 GMT

@apackard MineMeld can't verify the cert of the server hosting the blocklist.

You can:

- copying the CA of the server certificate on the MineMeld instance and then setting REQUESTS_CA_BUNDLE env in /etc/default/minemeld to point to that location (preferred if the server is not using a self-signed cert)

- adding the setting verify_cert: false inside the prototype in the config section to disable certificate verification

NOTE: there is a bug in MineMeld 0.9.20 affecting local prototypes, to avoid losing your custom proto please move the minemeldlocal.yml to the right place:

sudo -u minemeld mv /opt/minemeld/prototypes/current/minemeldlocal.yml /opt/minemeld/local/prototypes/

Re: Minemeld SSL Certificates

apackard — Thu, 15 Sep 2016 11:39:21 GMT

Perfect, many thanks.

Re: Minemeld SSL Certificates

Nupagazy — Sun, 13 Jan 2019 14:27:45 GMT

Hi Luigi,

When I add cert signed by PAN deivce to /etc/nginx ( minemeld.cer and minemeld.pem) , when I restart nginx ( sudo service nginx restart ) it ask the PAM pass phrase. ALthough I put the correct password or remove the password from pem, it always ask.

So I can not change minemeld to use certificate signed by our PAN vm. Do I missed anything ?

Best Regards,

Re: Minemeld SSL Certificates

lmori — Sun, 13 Jan 2019 18:18:05 GMT

Hi @Nupagazy,

if the restart ask for password, typically means that your private key is password protected. I know you already removed that, but could you double check?

Re: Minemeld SSL Certificates

Nupagazy — Mon, 14 Jan 2019 14:18:49 GMT

I found following config of minemeld-web:

ssl_certificate /etc/nginx/minemeld.cer

ssl_certificate_key /etc/nginx/minemeld.pem

Which certificates generated by PAN vm should I replace the above two ?

Best Regards,

Re: Minemeld SSL Certificates

lmori — Mon, 14 Jan 2019 16:51:22 GMT

Hi @Nupagazy,

basically you should place in /etc/nginx/minemeld.cer your certificate in PEM format, and in /etc/nginx/minemeld.pem your private in PEM (with no password!)

Luigi

Re: Minemeld SSL Certificates

Nupagazy — Tue, 15 Jan 2019 10:05:40 GMT

Thank you so much, I can make the PA vm send https log to minemeld now.

Best Regards,