- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-03-2017 10:27 AM
Hey guys,
Just set up Minemeld, upgraded to PANOS 8.0.0, running into an issue with seeting up the EDL, the source (https://minemeld.local/feeds/inboundfeedhc) being HTTPS, PANOS now requires a certificate profile for the communication to work - what shpuld be configured there, and what -if anything- on the minemeld server?
Great tool by the way!
Cheers,
Luk
02-03-2017 10:38 AM
Hi @luks,
the default MineMeld certificate is self-signed and won't work with PAN-OS 8.0. You should:
- create a new certificate signed by a CA
- copy the full certificate chain in /etc/nginx/minemeld.cer and the private key in /etc/nginx/minemeld.pem
- reload nginx config (sudo service nginx reload)
- use the CA public certificate in PAN-OS 8.0 Certificate Profile
If you don't have an internal CA, a quick fix is the script here:
https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da
There are instructions in the comment at the end of the script on how to use it. The script automatically generates a new CA, creates and signs a certificate for MineMeld Webui, moves the files in their places, and destroys the CA private key to eliminate the risk of the CA becoming compromised. At the end of the script you can take the generated CA.crt file and use it inside the PAN-OS 8.0 Certificate Profile.
02-03-2017 11:34 AM
Thanks for the quick reply!
Ok i got that done, got the PEM key and then followed these instructions to split the key (https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...) .
so I end up with these files
-rw-r--r-- 1 luks luks 2791 Feb 3 19:52 cert_minemeld.pem
-rw-r--r-- 1 root root 1025 Feb 3 20:19 minemeld.cer
-rw-r--r-- 1 root root 1766 Feb 3 20:19 minemeld1.cer
Doing the following works, but I still get the URL Access error on my Palo Alto firewall (PS/ etc/nginx/minemeld/ directory doesn't exist so I just used /etc/nginx). I am using the right certificate in the profile on the ELD.
[minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
[minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out /etc/ngnix/minemeld/minemeld.pem
[minemeld ~]$ sudo service nginx restart
I think I'm doing something wrong on the NGINX part?
Thanks again for the help,
Luk
02-03-2017 11:56 AM
I found it, it was a routing issue (service route configuration needed to be changed)
DUH!
it's working now, thanks agan!
Luk
02-09-2017 07:57 AM
I am having diffilculties with the Certificate Profile. In the System logs I see an error regarding the EDL Server authentication being failed.
"Reason: unable to get local issuer certificat"
I already created a CertProfile with the CA Cert of the MineMeld Server. Configured my EDL with the appropriate Cert Profile. Am I a missing something ?
Thanks
Roland
02-10-2017 12:58 AM - edited 02-15-2017 01:56 AM
Hi @gafrol,
have you already generated a new certificate for MineMeld ? The default certificate on MineMeld is self-signed and it can't be used in a Certificate Profile.
An easy way to generate a new certificate is:
$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh $ chmod a+x generate-certificate.sh $ sudo ./generate-certificate.sh <minemeld ip address>
If you want to check the details of the script check this gist here:
https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da
02-14-2017 02:09 AM
We are using an official certificate for our MineMeld install. Just had to add the intermediate SSL cert to the Cert Profile. Now it is working.
thanks
Roland
02-15-2017 01:57 AM
@gafrol, using a valid certificate is a far better solution !
02-15-2017 02:07 AM
Absolutely, we provide MineMeld as a Service (running in our Datacenter) to our PAN FW customers. So a commercial certificate is a must. It is working like a charm now .
Rgds
Roland
10-12-2017 01:58 AM
I have followed your outlined procedure...but still i get this output:
admin@PA-VM> request system external-list show type domain name sdfsdfsdf
vsys1/sdfsdfsdf:
Next update at : Thu Oct 12 02:00:39 2017
Source : https://192.168.122.231/feeds/Domain-Output
Referenced : Yes
Valid : Yes
Auth-Valid : Yes
Total invalid entries : 1
Valid domains:
Failed binding local connection end
All certificates are imported and nginx restarted....even CA certificate trusted in Firefox browser gives a cert error....
Please can anyone tell whats the issue?
09-03-2018 12:52 PM
Hi @lmori what the apoarch for certificate profile in Pan-8.0 if you are using Minemeld hosted by the Autofocus. the problem in my case is the miners are working but the FW is not able to access those Dynamic list. is there any tech doc to regenerate certificate on the Minemeld hosted on Autofocus.
Thanks
09-04-2018 03:29 AM
Hi @Sanssj,
is the article https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-... the documentation you're looking for?
06-10-2019 01:55 PM
I have done everything in this feed and "How to Generate New MineMeld HTTPS Cert". This is what I get:
'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: XXXXXXXXX, EDL Source URL: https://XXXXXXXXXXX.com/feeds/inboundfeedhc, CN: XXXXXXXXXX, Reason: SSL peer certificate or SSH remote key was not OK'
I created a self-signed CA. Created a certificate from that CA and imported it into my Minemeld server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!