Minemeld SSL Certificates

Reply
L4 Transporter

Minemeld SSL Certificates

Hi - 2 questions:-

 

> How do we change the default SSL certificate on Minemeld?  Standard Apache cert replacement?

> If we have a custom source running SSL with a self-signed cert, can we force a HTTPS miner to ignore the cert error?

 

Thanks!

L7 Applicator

Re: Minemeld SSL Certificates

Hi apackard,

 

How to change certs

Certificate is served by nginx and stored in /etc/nginx/minemeld.cer (certificate) /etc/nginx/minemeld.pem (private key). You can stop nginx ("sudo service nginx stop"), replace the files with a valid certificate and private key and restart nginx ("sudo service nginx start").

 

Ignore cert errors

Sure, this is usually done with the prototype. Which Miner are you using ?

 

Thanks.

L4 Transporter

Re: Minemeld SSL Certificates

Thanks very much - half asleep on the Apache\ngix mixup..!

 

I created a new miner and used the following prototype as a template: - minemeld.ft.http.HttpFT

 

attributes
  • application: http
  • confidence: 100
  • direction: inbound
  • share_level: green
  • type: IPv4
source_name mm.ciuthreatintel
url https://<internal_FQDN>:8787/pa-dbl.txt

 

I can see polling errors being reported under the Statistics UI page but can't find where they are actually logged - looking again with fresh eyes I see I have set the application attribute to http.

 

On that subject is there any documentation on these attributes, they mostly seem obvious but I'm not sure on some of them?

 

Many Thanks

L7 Applicator

Re: Minemeld SSL Certificates

@apackard Look for the file /opt/minemeld/log/minemeld-engine.log and search inside it for the name of your node. Attributes looks correct, could you paste the full YAML config of the prototype (removing the confidential part of it) ?

 

Thanks !

luigi

L4 Transporter

Re: Minemeld SSL Certificates

Thanks Luigi.

 

Pertinent error log entry:-

 

Exception in polling loop for CIU_Threatintel_Droplist: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

 

And the YAML:-

 

#####@#####:/opt/minemeld/prototypes/0.9.20$ cat minemeldlocal.yml
author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
CIU Threatintel Droplist:
class: minemeld.ft.http.HttpFT
config:
attributes:
application: http
confidence: 100
direction: inbound
share_level: green
type: IPv4
source_name: mm.ciuthreatintel
url: https://##########:8787/pa-dbl.txt
description: #####\ThreatStream moderated IP blocklist
development_status: STABLE
node_type: miner

L7 Applicator

Re: Minemeld SSL Certificates

@apackard MineMeld can't verify the cert of the server hosting the blocklist.

You can:

- copying the CA of the server certificate on the MineMeld instance and then setting REQUESTS_CA_BUNDLE env in /etc/default/minemeld to point to that location (preferred if the server is not using a self-signed cert)

 - adding the setting verify_cert: false inside the prototype in the config section to disable certificate verification

 

NOTE: there is a bug in MineMeld 0.9.20 affecting local prototypes, to avoid losing your custom proto please move the minemeldlocal.yml to the right place:

sudo -u minemeld mv /opt/minemeld/prototypes/current/minemeldlocal.yml /opt/minemeld/local/prototypes/
L4 Transporter

Re: Minemeld SSL Certificates

Perfect, many thanks.

L1 Bithead

Re: Minemeld SSL Certificates

Hi Luigi,

When I add cert signed by PAN deivce to /etc/nginx ( minemeld.cer and minemeld.pem) , when I restart nginx ( sudo service nginx restart ) it ask the PAM pass phrase. ALthough I put the correct password or remove the password from pem, it always ask.

So I can not change minemeld to use certificate signed by our PAN vm.  Do I missed anything ?

Best Regards,

An

L7 Applicator

Re: Minemeld SSL Certificates

Hi @Nupagazy,

if the restart ask for password, typically means that your private key is password protected. I know you already removed that, but could you double check?

L1 Bithead

Re: Minemeld SSL Certificates

I found following config of minemeld-web:

ssl_certificate /etc/nginx/minemeld.cer

ssl_certificate_key /etc/nginx/minemeld.pem

Which certificates generated by PAN vm should I replace the above two ?

Best Regards,

An

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!