PANOS 8.0.0 EDL requires certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PANOS 8.0.0 EDL requires certificate

L1 Bithead

Hey guys,

 

Just set up Minemeld, upgraded to PANOS 8.0.0, running into an issue with seeting up the EDL, the source (https://minemeld.local/feeds/inboundfeedhc) being HTTPS, PANOS now requires a certificate profile for the communication to work - what shpuld be configured there, and what -if anything- on the minemeld server?

 

Great tool by the way!

 

Cheers,

Luk

12 REPLIES 12

L7 Applicator

Hi @luks,

the default MineMeld certificate is self-signed and won't work with PAN-OS 8.0. You should:

- create a new certificate signed by a CA

- copy the full certificate chain in /etc/nginx/minemeld.cer and the private key in /etc/nginx/minemeld.pem

- reload nginx config (sudo service nginx reload)

- use the CA public certificate in PAN-OS 8.0 Certificate Profile

 

If you don't have an internal CA, a quick fix is the script here:

https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da

 

There are instructions in the comment at the end of the script on how to use it. The script automatically generates a new CA, creates and signs a certificate for MineMeld Webui, moves the files in their places, and destroys the CA private key to eliminate the risk of the CA becoming compromised. At the end of the script you can take the generated CA.crt file and use it inside the PAN-OS 8.0 Certificate Profile. 

 

Thanks for the quick reply!

 

Ok i got that done, got the PEM key and then followed these instructions to split the key (https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...) .

 

so I end up with these files

 

-rw-r--r--  1 luks luks 2791 Feb  3 19:52 cert_minemeld.pem

-rw-r--r--  1 root root 1025 Feb  3 20:19 minemeld.cer

-rw-r--r--  1 root root 1766 Feb  3 20:19 minemeld1.cer

 

Doing the following works, but I still get the URL Access error on my Palo Alto firewall (PS/ etc/nginx/minemeld/ directory doesn't exist so I just used /etc/nginx). I am using the right certificate in the profile on the ELD.

 

[minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
[minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out /etc/ngnix/minemeld/minemeld.pem
[minemeld ~]$ sudo service nginx restart

 I think I'm doing something wrong on the NGINX part?

 

Thanks again for the help,

Luk

I found it, it was a routing issue (service route configuration needed to be changed)

DUH!

it's working now, thanks agan!

Luk

I am having diffilculties with the Certificate Profile. In the System logs I see an error regarding the EDL Server authentication being failed.

 

"Reason: unable to get local issuer certificat"

 

I already created a CertProfile with the CA Cert of the MineMeld Server. Configured my EDL with the appropriate Cert Profile. Am I a missing something ?

 

Thanks

Roland

Hi @gafrol,

have you already generated a new certificate for MineMeld ? The default certificate on MineMeld is self-signed and it can't be used in a Certificate Profile.

 

An easy way to generate a new certificate is:

  • ssh into the MineMeld instance
  • type the following commands

 

$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh
$ chmod a+x generate-certificate.sh
$ sudo ./generate-certificate.sh <minemeld ip address>
  • at the end of the operation above the MineMeld WebUI has a new certificate and you can grab the CA certificate from the browser or from the file CA.crt in the directory where you typed the commands

If you want to check the details of the script check this gist here:

https://gist.github.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da

 

We are using an official certificate for our MineMeld install. Just had to add the intermediate SSL cert to the Cert Profile. Now it is working.

 

thanks

Roland

@gafrol, using a valid certificate is a far better solution !

Absolutely, we provide MineMeld as a Service (running in our Datacenter) to our PAN FW customers. So a commercial certificate is a must. It is working like a charm now .

 

Rgds

Roland

I have followed your outlined procedure...but still i get this output:

 

admin@PA-VM> request system external-list show type domain name sdfsdfsdf


vsys1/sdfsdfsdf:
Next update at : Thu Oct 12 02:00:39 2017
Source : https://192.168.122.231/feeds/Domain-Output
Referenced : Yes
Valid : Yes
Auth-Valid : Yes
Total invalid entries : 1
Valid domains:
Failed binding local connection end

 

All certificates are imported and nginx restarted....even CA certificate trusted in Firefox browser gives a cert error....

 

Please can anyone tell whats the issue?

Hi @lmori what the apoarch for certificate profile in Pan-8.0 if you are using Minemeld hosted by the Autofocus. the problem in my case is the miners are working but the FW is not able to access those Dynamic list. is there any tech doc to regenerate  certificate on the Minemeld hosted on Autofocus.

Thanks

 

L0 Member

I have done everything in this feed and "How to Generate New MineMeld HTTPS Cert".  This is what I get:

 

'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: XXXXXXXXX, EDL Source URL: https://XXXXXXXXXXX.com/feeds/inboundfeedhc, CN: XXXXXXXXXX, Reason: SSL peer certificate or SSH remote key was not OK'

 

I created a self-signed CA.  Created a certificate from that CA and imported it into my Minemeld server.

  • 30093 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!