Hi - 2 questions:-
> How do we change the default SSL certificate on Minemeld? Standard Apache cert replacement?
> If we have a custom source running SSL with a self-signed cert, can we force a HTTPS miner to ignore the cert error?
Solved! Go to Solution.
How to change certs
Certificate is served by nginx and stored in /etc/nginx/minemeld.cer (certificate) /etc/nginx/minemeld.pem (private key). You can stop nginx ("sudo service nginx stop"), replace the files with a valid certificate and private key and restart nginx ("sudo service nginx start").
Ignore cert errors
Sure, this is usually done with the prototype. Which Miner are you using ?
Thanks very much - half asleep on the Apache\ngix mixup..!
I created a new miner and used the following prototype as a template: - minemeld.ft.http.HttpFT
I can see polling errors being reported under the Statistics UI page but can't find where they are actually logged - looking again with fresh eyes I see I have set the application attribute to http.
On that subject is there any documentation on these attributes, they mostly seem obvious but I'm not sure on some of them?
@apackard Look for the file /opt/minemeld/log/minemeld-engine.log and search inside it for the name of your node. Attributes looks correct, could you paste the full YAML config of the prototype (removing the confidential part of it) ?
Pertinent error log entry:-
Exception in polling loop for CIU_Threatintel_Droplist: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
And the YAML:-
#####@#####:/opt/minemeld/prototypes/0.9.20$ cat minemeldlocal.yml
description: Local prototype library managed via MineMeld WebUI
CIU Threatintel Droplist:
description: #####\ThreatStream moderated IP blocklist
@apackard MineMeld can't verify the cert of the server hosting the blocklist.
- copying the CA of the server certificate on the MineMeld instance and then setting REQUESTS_CA_BUNDLE env in /etc/default/minemeld to point to that location (preferred if the server is not using a self-signed cert)
- adding the setting verify_cert: false inside the prototype in the config section to disable certificate verification
NOTE: there is a bug in MineMeld 0.9.20 affecting local prototypes, to avoid losing your custom proto please move the minemeldlocal.yml to the right place:
sudo -u minemeld mv /opt/minemeld/prototypes/current/minemeldlocal.yml /opt/minemeld/local/prototypes/
When I add cert signed by PAN deivce to /etc/nginx ( minemeld.cer and minemeld.pem) , when I restart nginx ( sudo service nginx restart ) it ask the PAM pass phrase. ALthough I put the correct password or remove the password from pem, it always ask.
So I can not change minemeld to use certificate signed by our PAN vm. Do I missed anything ?
if the restart ask for password, typically means that your private key is password protected. I know you already removed that, but could you double check?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!