https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168270#M97795 <P>Yes but I tried exempting the MineMeld server from SSL Decryption. I also added the Trusted Root CA to Minemeld.</P> Tue, 25 Jul 2017 22:58:41 GMT iheredia 2017-07-25T22:58:41Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168267#M97793 <P>Currently Running MineMeld Version 0.9.40 on Ubuntu 14.04. I am getting the following certificate error. I have tried updating the self-signed cert, restart, ubuntu reboot. with no change.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 25 Jul 2017 22:50:09 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168267#M97793 iheredia 2017-07-25T22:50:09Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168269#M97794 <P>Are you doing SSL decryption ? The Miner is not able to validate the remote certificate of the ET server.</P> Tue, 25 Jul 2017 22:53:40 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168269#M97794 lmori 2017-07-25T22:53:40Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168270#M97795 <P>Yes but I tried exempting the MineMeld server from SSL Decryption. I also added the Trusted Root CA to Minemeld.</P> Tue, 25 Jul 2017 22:58:41 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168270#M97795 iheredia 2017-07-25T22:58:41Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168271#M97796 <P>Could you double check that MM is actually exempted from decryption ?<BR />Another option is saving the Trusted CA certificate in /opt/minemeld/local/CA/site/ and then "sudo -u mm-cabundle-update"</P> Tue, 25 Jul 2017 23:01:03 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168271#M97796 lmori 2017-07-25T23:01:03Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168273#M97797 <P>I will double check in the morning. I will first try to add the Root CA to&nbsp;<SPAN>/opt/minemeld/local/CA/site/ and then "sudo -u mm-cabundle-update"</SPAN></P> <P>&nbsp;</P> <P>Thank you for the quick reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a></P> Tue, 25 Jul 2017 23:06:51 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/168273#M97797 iheredia 2017-07-25T23:06:51Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/207523#M97798 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a>,</P> <P>&nbsp;</P> <P>I tried that, but so far it didn't work.</P> <P>First, shouldn't that be:&nbsp;&nbsp;sudo -u minemeld mm-cabundle-update&nbsp; ?</P> <P>&nbsp;</P> <P>Second:&nbsp;</P> <P>I exported my forward decryption certificate from my PA in PEM format and created a file&nbsp;</P> <P>pa820SubCA.crt&nbsp;</P> <P>in</P> <P>/opt/minemeld/local/CA/site</P> <P>&nbsp;</P> <P>Then I ran:</P> <P>/opt/minemeld/local/certs$ sudo -u minemeld mm-cabundle-update<BR />2018-03-26T23:14:19 (101237)cacert_merge.main INFO: config: {'cafile': ['/opt/minemeld/local/certs/site/'], 'dst': '/opt/minemeld/local/certs/bundle.crt', 'config': '/opt/minemeld/local/certs/cacert-merge-config.yml', 'no_merge_certifi': False}<BR />WARNING: old python version (&lt; 2.7.9) - certificate verification not performed</P> <P>&nbsp;</P> <P>I'm seeing&nbsp;</P> <P>/opt/minemeld/local/certs$ ls -la<BR />total 312<BR />drwxr-xr-x 4 minemeld minemeld 4096 Mar 26 22:50 .<BR />drwxr-xr-x 9 minemeld minemeld 4096 Mar 26 23:00 ..<BR />-rw------- 1 minemeld minemeld 296399 Mar 26 23:14 bundle.crt<BR />drwxr-xr-x 3 minemeld minemeld 4096 Mar 26 22:38 CA<BR />-rw-r--r-- 1 minemeld minemeld 25 Oct 2 14:17 cacert-merge-config.yml<BR />drwxr-xr-x 2 minemeld minemeld 4096 Oct 2 14:18 site</P> <P>&nbsp;</P> <P>I don't see my certificate getting added in bundle.crt</P> <P>&nbsp;</P> <P>Did I miss anything?</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp; Andreas</P> Mon, 26 Mar 2018 21:19:25 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/207523#M97798 idelconsulting 2018-03-26T21:19:25Z https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/207693#M97799 <P>I got it working now.</P> <P>&nbsp;</P> <P>Changes required:</P> <P>Trusted CA PEM file needs to be in:</P> <P>/opt/minemeld/local/certs/site</P> <P>with the extension .crt</P> <P>&nbsp;</P> <P>Then, after running</P> <P>sudo -u minemeld mm-cabundle-update</P> <P>&nbsp;</P> <P>you need to restart the engine from the System menu.</P> <P>&nbsp;</P> <P>Now everything looks fine.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp; &nbsp;Andreas&nbsp;</P> Tue, 27 Mar 2018 18:39:58 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-error-on-miner-refresh/m-p/207693#M97799 idelconsulting 2018-03-27T18:39:58Z