Just set up Minemeld, upgraded to PANOS 8.0.0, running into an issue with seeting up the EDL, the source (https://minemeld.local/feeds/inboundfeedhc) being HTTPS, PANOS now requires a certificate profile for the communication to work - what shpuld be configured there, and what -if anything- on the minemeld server?
Great tool by the way!
the default MineMeld certificate is self-signed and won't work with PAN-OS 8.0. You should:
- create a new certificate signed by a CA
- copy the full certificate chain in /etc/nginx/minemeld.cer and the private key in /etc/nginx/minemeld.pem
- reload nginx config (sudo service nginx reload)
- use the CA public certificate in PAN-OS 8.0 Certificate Profile
If you don't have an internal CA, a quick fix is the script here:
There are instructions in the comment at the end of the script on how to use it. The script automatically generates a new CA, creates and signs a certificate for MineMeld Webui, moves the files in their places, and destroys the CA private key to eliminate the risk of the CA becoming compromised. At the end of the script you can take the generated CA.crt file and use it inside the PAN-OS 8.0 Certificate Profile.
Thanks for the quick reply!
Ok i got that done, got the PEM key and then followed these instructions to split the key (https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...) .
so I end up with these files
-rw-r--r-- 1 luks luks 2791 Feb 3 19:52 cert_minemeld.pem
-rw-r--r-- 1 root root 1025 Feb 3 20:19 minemeld.cer
-rw-r--r-- 1 root root 1766 Feb 3 20:19 minemeld1.cer
Doing the following works, but I still get the URL Access error on my Palo Alto firewall (PS/ etc/nginx/minemeld/ directory doesn't exist so I just used /etc/nginx). I am using the right certificate in the profile on the ELD.
[minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
[minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out /etc/ngnix/minemeld/minemeld.pem
[minemeld ~]$ sudo service nginx restart
I think I'm doing something wrong on the NGINX part?
Thanks again for the help,
I am having diffilculties with the Certificate Profile. In the System logs I see an error regarding the EDL Server authentication being failed.
"Reason: unable to get local issuer certificat"
I already created a CertProfile with the CA Cert of the MineMeld Server. Configured my EDL with the appropriate Cert Profile. Am I a missing something ?
have you already generated a new certificate for MineMeld ? The default certificate on MineMeld is self-signed and it can't be used in a Certificate Profile.
An easy way to generate a new certificate is:
$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh $ chmod a+x generate-certificate.sh $ sudo ./generate-certificate.sh <minemeld ip address>
If you want to check the details of the script check this gist here:
We are using an official certificate for our MineMeld install. Just had to add the intermediate SSL cert to the Cert Profile. Now it is working.
Absolutely, we provide MineMeld as a Service (running in our Datacenter) to our PAN FW customers. So a commercial certificate is a must. It is working like a charm now .
I have followed your outlined procedure...but still i get this output:
admin@PA-VM> request system external-list show type domain name sdfsdfsdf
Next update at : Thu Oct 12 02:00:39 2017
Source : https://192.168.122.231/feeds/Domain-Output
Referenced : Yes
Valid : Yes
Auth-Valid : Yes
Total invalid entries : 1
Failed binding local connection end
All certificates are imported and nginx restarted....even CA certificate trusted in Firefox browser gives a cert error....
Please can anyone tell whats the issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!