03-24-2021 07:40 AM - edited 03-24-2021 07:41 AM
I am having an issue with an installation of XDR on Linux Mint 20.
I found this post with no resolution and one of the comments from @MartinSauer suggests someone else was seeing the same issue.
In the trapsd.log I can see the error:
If I curl that URI it connects fine and I can see the TLS handshake and TLS v1.2 is used, it returns a status 200 message and a resource URI, similarly, if I browse to the URI using Firefox ESR I get a valid response with a resource URI with no certificate errors.
Why cant the XDR Agent validate the cert and is this limited to an issue with Linux Mint 20?
Support are driving me mad and keep telling me its a certificate issue asking me to install certificates which I have demonstrated are installed.
Has anybody else come across this?
03-26-2021 02:27 AM
So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.
Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain. You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com
I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.
Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.
Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)
At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .
03-26-2021 02:27 AM
So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.
Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain. You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com
I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.
Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.
Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)
At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .
06-21-2023 07:50 PM - edited 06-23-2023 08:41 AM
Ubuntu is Cortex XDR supported:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Linux
Linux Mint 21.1 "Vera" is basically a fork of Ubuntu 22.04 "jammy" with some changes:
$cat /etc/upstream-release/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu Jammy Jellyfish"
Except Cortex XDR is looking at /etc/lsb-release and not the upstream and will generate this error and not be able to figure out what to do with CA certificates it wants to add:
{trapsd:Communication:Startup:} Could not resolve CA certificates bundle path, unrecognized Linux distribution
You can work-around this:
Now it will be happy with the Linux distribution detection and add the CA certificate properly.
To remove this work-around, just restore the original file:
After this fix, a SSL error most likely points to SSL decryption somewhere along the way. Either configure PAN FW to not decrypt Traps traffic, or add the CA for the decryption PAN FW to the OS certificate store:
ls /usr/local/share/ca-certificates/sudo cp foo.crt /usr/local/share/ca-certificates/foo.crtsudo update-ca-certificatesrm /usr/local/share/ca-certificates/foo.crtsudo update-ca-certificates --fresh
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
