Cortex XDR Pro on Linux Mint

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Pro on Linux Mint

L1 Bithead

I am having an issue with an installation of XDR on Linux Mint 20.

 

I found this post with no resolution  and one of the comments from @MartinSauer  suggests someone else was seeing the same issue.

LIVEcommunity - ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed ... 

 

In the trapsd.log I can see the error:

 {trapsd:Communication:Heartbeat:Scheduled:https://distributions.traps.paloaltonetworks.com/operations/provision/register-url/<dist-id>} HTTP request failed due to an SSL error (0): SSL Exception: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
 

If I curl that URI it connects fine and I can see the TLS handshake and TLS v1.2 is used, it returns a status 200 message and a resource URI, similarly, if I browse to the URI using Firefox ESR I get a valid response with a resource URI with no certificate errors.

 

Why cant the XDR Agent validate the cert and is this limited to an issue with Linux Mint 20?

 

Support are driving me mad  and keep telling me its a certificate issue asking me to install certificates which I have demonstrated are installed.

 

Has anybody else come across this?

 
 

1 accepted solution

Accepted Solutions

L1 Bithead

So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.

 

Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain.  You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com

 

I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way  follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.

 

Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.

 

Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)

 

At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .

View solution in original post

2 REPLIES 2

L1 Bithead

So, PA Customer support shut this down by saying Linux Mint is an unsupported OS.

 

Internally what we found that _may_ explain the situation is that PA have a self-signed anchor issue on the SSL certificate chain.  You can see this on a Qualys SSL scan of distributions.traps.paloaltonetworks.com

 

I can't prove it at this point, but the thinking internally is that either Mint or the app or a combination in some way  follow the entire chain and fail validation because it sees the final certificate in the chain is self signed even though it is in the trusted root store.

 

Given that PA won't entertain any further investigation I've had to move on, their list of supported Linux OS is very small and contains no specific desktop variants or flavours.

 

Where Can I Install the Cortex XDR Agent? (paloaltonetworks.com)

 

At this point I don't consider that XDR fully supports Linux and certainly not Linux for desktop\client endpoints .

L2 Linker

Ubuntu is Cortex XDR supported:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Linux

 

Linux Mint 21.1 "Vera" is basically a fork of Ubuntu 22.04 "jammy" with some changes:

$cat /etc/upstream-release/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu Jammy Jellyfish"

 

Except Cortex XDR is looking at /etc/lsb-release and not the upstream and will generate this error and not be able to figure out what to do with CA certificates it wants to add:

{trapsd:Communication:Startup:} Could not resolve CA certificates bundle path, unrecognized Linux distribution

 

You can work-around this:

  • sudo cp -av /etc/release-lsb /etc/release-lsb.orig ; sudo ln -s ./upstream-release/lsb-release /etc

Now it will be happy with the Linux distribution detection and add the CA certificate properly.

To remove this work-around, just restore the original file:

  • sudo rm /etc/lsb-release ; sudo cp -av /etc/release-lsb.orig /etc/release-lsb

After this fix, a SSL error most likely points to SSL decryption somewhere along the way.  Either configure PAN FW to not decrypt Traps traffic, or add the CA for the decryption PAN FW to the OS certificate store:

  1. To add: 
    1. Copy your CA to ls /usr/local/share/ca-certificates/
    2. Use command: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
    3. Update the CA store: sudo update-ca-certificates
  2. To remove:
    1. Remove your CA: rm /usr/local/share/ca-certificates/foo.crt
    2. Update the CA store: sudo update-ca-certificates --fresh

 

  • 1 accepted solution
  • 4713 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!