PANOS 8.0.0 EDL requires certificate

L1 Bithead

PANOS 8.0.0 EDL requires certificate

Hey guys,

 

Just set up Minemeld, upgraded to PANOS 8.0.0, running into an issue with seeting up the EDL, the source (https://minemeld.local/feeds/inboundfeedhc) being HTTPS, PANOS now requires a certificate profile for the communication to work - what shpuld be configured there, and what -if anything- on the minemeld server?

 

Great tool by the way!

 

Cheers,

Luk

L7 Applicator

Re: PANOS 8.0.0 EDL requires certificate

Hi @luks,

the default MineMeld certificate is self-signed and won't work with PAN-OS 8.0. You should:

- create a new certificate signed by a CA

- copy the full certificate chain in /etc/nginx/minemeld.cer and the private key in /etc/nginx/minemeld.pem

- reload nginx config (sudo service nginx reload)

- use the CA public certificate in PAN-OS 8.0 Certificate Profile

 

If you don't have an internal CA, a quick fix is the script here:

https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da

 

There are instructions in the comment at the end of the script on how to use it. The script automatically generates a new CA, creates and signs a certificate for MineMeld Webui, moves the files in their places, and destroys the CA private key to eliminate the risk of the CA becoming compromised. At the end of the script you can take the generated CA.crt file and use it inside the PAN-OS 8.0 Certificate Profile. 

L1 Bithead

Re: PANOS 8.0.0 EDL requires certificate

 

Thanks for the quick reply!

 

Ok i got that done, got the PEM key and then followed these instructions to split the key (https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...) .

 

so I end up with these files

 

-rw-r--r--  1 luks luks 2791 Feb  3 19:52 cert_minemeld.pem

-rw-r--r--  1 root root 1025 Feb  3 20:19 minemeld.cer

-rw-r--r--  1 root root 1766 Feb  3 20:19 minemeld1.cer

 

Doing the following works, but I still get the URL Access error on my Palo Alto firewall (PS/ etc/nginx/minemeld/ directory doesn't exist so I just used /etc/nginx). I am using the right certificate in the profile on the ELD.

 

[minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
[minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out /etc/ngnix/minemeld/minemeld.pem
[minemeld ~]$ sudo service nginx restart

 I think I'm doing something wrong on the NGINX part?

 

Thanks again for the help,

Luk

L1 Bithead

Re: PANOS 8.0.0 EDL requires certificate

I found it, it was a routing issue (service route configuration needed to be changed)

DUH!

it's working now, thanks agan!

Luk

L4 Transporter

Re: PANOS 8.0.0 EDL requires certificate

I am having diffilculties with the Certificate Profile. In the System logs I see an error regarding the EDL Server authentication being failed.

 

"Reason: unable to get local issuer certificat"

 

I already created a CertProfile with the CA Cert of the MineMeld Server. Configured my EDL with the appropriate Cert Profile. Am I a missing something ?

 

Thanks

Roland

L7 Applicator

Re: PANOS 8.0.0 EDL requires certificate

Hi @gafrol,

have you already generated a new certificate for MineMeld ? The default certificate on MineMeld is self-signed and it can't be used in a Certificate Profile.

 

An easy way to generate a new certificate is:

  • ssh into the MineMeld instance
  • type the following commands

 

$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh
$ chmod a+x generate-certificate.sh
$ sudo ./generate-certificate.sh <minemeld ip address>
  • at the end of the operation above the MineMeld WebUI has a new certificate and you can grab the CA certificate from the browser or from the file CA.crt in the directory where you typed the commands

If you want to check the details of the script check this gist here:

https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da

 

L4 Transporter

Re: PANOS 8.0.0 EDL requires certificate

We are using an official certificate for our MineMeld install. Just had to add the intermediate SSL cert to the Cert Profile. Now it is working.

 

thanks

Roland

L7 Applicator

Re: PANOS 8.0.0 EDL requires certificate

@gafrol, using a valid certificate is a far better solution !

L4 Transporter

Re: PANOS 8.0.0 EDL requires certificate

Absolutely, we provide MineMeld as a Service (running in our Datacenter) to our PAN FW customers. So a commercial certificate is a must. It is working like a charm now .

 

Rgds

Roland

L2 Linker

Re: PANOS 8.0.0 EDL requires certificate

I have followed your outlined procedure...but still i get this output:

 

admin@PA-VM> request system external-list show type domain name sdfsdfsdf


vsys1/sdfsdfsdf:
Next update at : Thu Oct 12 02:00:39 2017
Source : https://192.168.122.231/feeds/Domain-Output
Referenced : Yes
Valid : Yes
Auth-Valid : Yes
Total invalid entries : 1
Valid domains:
Failed binding local connection end

 

All certificates are imported and nginx restarted....even CA certificate trusted in Firefox browser gives a cert error....

 

Please can anyone tell whats the issue?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!