Minemeld SSL Certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Minemeld SSL Certificates

L4 Transporter

Hi - 2 questions:-

 

> How do we change the default SSL certificate on Minemeld?  Standard Apache cert replacement?

> If we have a custom source running SSL with a self-signed cert, can we force a HTTPS miner to ignore the cert error?

 

Thanks!

1 accepted solution

Accepted Solutions

@apackard MineMeld can't verify the cert of the server hosting the blocklist.

You can:

- copying the CA of the server certificate on the MineMeld instance and then setting REQUESTS_CA_BUNDLE env in /etc/default/minemeld to point to that location (preferred if the server is not using a self-signed cert)

 - adding the setting verify_cert: false inside the prototype in the config section to disable certificate verification

 

NOTE: there is a bug in MineMeld 0.9.20 affecting local prototypes, to avoid losing your custom proto please move the minemeldlocal.yml to the right place:

sudo -u minemeld mv /opt/minemeld/prototypes/current/minemeldlocal.yml /opt/minemeld/local/prototypes/

View solution in original post

11 REPLIES 11

L7 Applicator

Hi apackard,

 

How to change certs

Certificate is served by nginx and stored in /etc/nginx/minemeld.cer (certificate) /etc/nginx/minemeld.pem (private key). You can stop nginx ("sudo service nginx stop"), replace the files with a valid certificate and private key and restart nginx ("sudo service nginx start").

 

Ignore cert errors

Sure, this is usually done with the prototype. Which Miner are you using ?

 

Thanks.

Thanks very much - half asleep on the Apache\ngix mixup..!

 

I created a new miner and used the following prototype as a template: - minemeld.ft.http.HttpFT

 

attributes
  • application: http
  • confidence: 100
  • direction: inbound
  • share_level: green
  • type: IPv4
source_name mm.ciuthreatintel
url https://<internal_FQDN>:8787/pa-dbl.txt

 

I can see polling errors being reported under the Statistics UI page but can't find where they are actually logged - looking again with fresh eyes I see I have set the application attribute to http.

 

On that subject is there any documentation on these attributes, they mostly seem obvious but I'm not sure on some of them?

 

Many Thanks

@apackard Look for the file /opt/minemeld/log/minemeld-engine.log and search inside it for the name of your node. Attributes looks correct, could you paste the full YAML config of the prototype (removing the confidential part of it) ?

 

Thanks !

luigi

Thanks Luigi.

 

Pertinent error log entry:-

 

Exception in polling loop for CIU_Threatintel_Droplist: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

 

And the YAML:-

 

#####@#####:/opt/minemeld/prototypes/0.9.20$ cat minemeldlocal.yml
author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
CIU Threatintel Droplist:
class: minemeld.ft.http.HttpFT
config:
attributes:
application: http
confidence: 100
direction: inbound
share_level: green
type: IPv4
source_name: mm.ciuthreatintel
url: https://##########:8787/pa-dbl.txt
description: #####\ThreatStream moderated IP blocklist
development_status: STABLE
node_type: miner

@apackard MineMeld can't verify the cert of the server hosting the blocklist.

You can:

- copying the CA of the server certificate on the MineMeld instance and then setting REQUESTS_CA_BUNDLE env in /etc/default/minemeld to point to that location (preferred if the server is not using a self-signed cert)

 - adding the setting verify_cert: false inside the prototype in the config section to disable certificate verification

 

NOTE: there is a bug in MineMeld 0.9.20 affecting local prototypes, to avoid losing your custom proto please move the minemeldlocal.yml to the right place:

sudo -u minemeld mv /opt/minemeld/prototypes/current/minemeldlocal.yml /opt/minemeld/local/prototypes/

Perfect, many thanks.

Hi Luigi,

When I add cert signed by PAN deivce to /etc/nginx ( minemeld.cer and minemeld.pem) , when I restart nginx ( sudo service nginx restart ) it ask the PAM pass phrase. ALthough I put the correct password or remove the password from pem, it always ask.

So I can not change minemeld to use certificate signed by our PAN vm.  Do I missed anything ?

Best Regards,

An

Hi @Nupagazy,

if the restart ask for password, typically means that your private key is password protected. I know you already removed that, but could you double check?

I found following config of minemeld-web:

ssl_certificate /etc/nginx/minemeld.cer

ssl_certificate_key /etc/nginx/minemeld.pem

Which certificates generated by PAN vm should I replace the above two ?

Best Regards,

An

Hi @Nupagazy,

basically you should place in /etc/nginx/minemeld.cer your certificate in PEM format, and in /etc/nginx/minemeld.pem your private in PEM (with no password!)

 

Luigi

Thank you so much, I can make the PA vm send https log to minemeld now.

Best Regards,

An

  • 1 accepted solution
  • 22760 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!