https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133438#M98620 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/33044">@andrew.stanton</a>,</P> <P>that's what is being used by MineMeld. That file is upgraded with MineMeld upgrades.</P> <P>The idea then would be:</P> <P>- take that file and place it in a "safe" directory (a directory persistent across upgrade), like /opt/minemeld/local/certs</P> <P>- append your cert to that file</P> <P>- create the file /etc/default/minemeld with contenets "export REQUESTS_CA_BUNDLE=/opt/minemeld/local/certs/cacert.pem"</P> <P>- sudo service minemeld restart</P> <P>&nbsp;</P> <P>We are working on a utility to do this.&nbsp;</P> Mon, 19 Dec 2016 07:49:21 GMT lmori 2016-12-19T07:49:21Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133152#M98617 <P>I could see the node was having problems pulling the external resource due it being decrypted and our CA being used.</P> <P>&nbsp;</P> <P>I added our CA to the Ubuntu store with the processes used here, but still no juice.</P> <P>&nbsp;</P> <P><A href="http://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line" target="_blank">http://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line</A></P> <P>&nbsp;</P> <P>Thoughts?</P> Thu, 15 Dec 2016 22:35:36 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133152#M98617 andrew.stanton 2016-12-15T22:35:36Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133341#M98618 <P>python requests library uses its own CA store and certifi store.&nbsp; but we have to investigate more how to best handle this.&nbsp; stay tuned.&nbsp; thanks!</P> Fri, 16 Dec 2016 20:00:02 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133341#M98618 ksteves1 2016-12-16T20:00:02Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133343#M98619 <P>probably this file:?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>/opt/minemeld/engine/0.9.30/lib/python2.7/site-packages/requests$ ls -lh cacert.pem<BR />-rw-r--r-- 1 minemeld minemeld 302K Dec 15 21:26 cacert.pem</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 16 Dec 2016 20:49:18 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133343#M98619 andrew.stanton 2016-12-16T20:49:18Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133438#M98620 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/33044">@andrew.stanton</a>,</P> <P>that's what is being used by MineMeld. That file is upgraded with MineMeld upgrades.</P> <P>The idea then would be:</P> <P>- take that file and place it in a "safe" directory (a directory persistent across upgrade), like /opt/minemeld/local/certs</P> <P>- append your cert to that file</P> <P>- create the file /etc/default/minemeld with contenets "export REQUESTS_CA_BUNDLE=/opt/minemeld/local/certs/cacert.pem"</P> <P>- sudo service minemeld restart</P> <P>&nbsp;</P> <P>We are working on a utility to do this.&nbsp;</P> Mon, 19 Dec 2016 07:49:21 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-outbound-calls-impacted-by-ssl-interception/m-p/133438#M98620 lmori 2016-12-19T07:49:21Z