Cortex XDR Pro on Linux Mint

cancel
Showing results for 
Search instead for 
Did you mean: 

Cortex XDR Pro on Linux Mint

L0 Member

I am having an issue with an installation of XDR on Linux Mint 20.

 

I found this post with no resolution  and one of the comments from @MartinSauer  suggests someone else was seeing the same issue.

LIVEcommunity - ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed ... 

 

In the trapsd.log I can see the error:

 {trapsd:Communication:Heartbeat:Scheduled:https://distributions.traps.paloaltonetworks.com/operations/provision/register-url/<dist-id>} HTTP request failed due to an SSL error (0): SSL Exception: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
 

If I curl that URI it connects fine and I can see the TLS handshake and TLS v1.2 is used, it returns a status 200 message and a resource URI, similarly, if I browse to the URI using Firefox ESR I get a valid response with a resource URI with no certificate errors.

 

Why cant the XDR Agent validate the cert and is this limited to an issue with Linux Mint 20?

 

Support are driving me mad  and keep telling me its a certificate issue asking me to install certificates which I have demonstrated are installed.

 

Has anybody else come across this?

 
 

1 ACCEPTED SOLUTION

Accepted Solutions

L0 Member

So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.

 

Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain.  You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com

 

I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way  follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.

 

Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.

 

Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)

 

At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .

View solution in original post

1 REPLY 1

L0 Member

So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.

 

Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain.  You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com

 

I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way  follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.

 

Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.

 

Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)

 

At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!