12-14-2022 07:13 AM
Given that I am programming a custom https client
When I invoke CWPP APIs over https
Then I encounter SSLErrors
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain
Where can I get a .pem or .crt file containing the CWPP certificates that I should trust?
Although I found this resource in the documentation, https://prisma.pan.dev/api/cloud/cwpp/defenders/#operation/get-defenders-install-bundle
When I invoke that API, I get this json...
$ curl -k \
> -H "Authorization: Bearer $token" \
> -H 'Content-Type: application/json' \
> -X GET "${PRISMA_CLOUD_COMPUTE_CONSOLE_API_ADDR}/api/v1/defenders/install-bundle?consoleaddr=${PRISMA_CLOUD_COMPUTE_SVC_ADDR}"
{"wsAddress":"wss://us-east1.cloud.twistlock.com:443","installBundle":"eyJzZWNyZXRzIjp7fSwiZ2xvYmFsUHJveHlPcHQiOnsiaHR0cFByb3h5IjoiIiwibm9Qcm94eSI6IiIsImNhIjoiIiwidXNlciI6IiIsInBhc3N3b3JkIjp7ImVuY3J5cHRlZCI6IiJ9fSwiY3VzdG9tZXJJRCI6InVzLTEtMTExNTc0MzIzIiwiYXBpS2V5IjoiV09FcHBSWjlPZHk0UTgxeTNkNG5nUDdIbzJ6U2xVeWpqSy95VThJM2FwTVNhTXRDaXIrTnFXVkk5L2NsQUp5d0dFVThrTGNkQ1U1d1MvQnlUZUxXVXc9PSIsIm1pY3Jvc2VnQ29tcGF0aWJsZSI6ZmFsc2V9"}
What is that? How is that "installBundle" intended to be used?
12-15-2022 11:33 AM - edited 12-15-2022 11:35 AM
Ultimately, I want to tell python's requests package where to find the certificate chain file for this host.
resp = requests.post(url, json=payload, headers=headers, verify='/Users/TAHV/Downloads/cloud-twistlock-com-chain.pem')
In Safari:
In Google Chrome:
In Firefox:
12-15-2022 12:01 PM - edited 12-15-2022 12:03 PM
*Moved Reply to accepted answer for visibility*
Your answer is correct.
Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration
https://github.com/PaloAltoNetworks/prismacloud-api-python
They may be of use to you. They are very similar in feature set and the configuration files are cross-compatible. They are both updated regularly. I am partial to PCPI as I created it. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.
Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.
12-14-2022 11:32 AM - edited 12-14-2022 05:17 PM
Is your CWP Console self hosted or a SaaS tenant?
Is the machine attempting to make API calls using a VPN?
Are you able to generate a JWT Token successfully with the API? Or is the only operation that is failing the defender call you have included an example of?
"
Given that I am programming a custom https client
When I invoke CWPP APIs over https
Then I encounter SSLErrors
"
Can you include any API endpoints that you have attempted to call that result in you getting an SSL Error?
12-15-2022 11:31 AM
IMO, its a python configuration problem.
12-15-2022 11:33 AM - edited 12-15-2022 11:35 AM
Ultimately, I want to tell python's requests package where to find the certificate chain file for this host.
resp = requests.post(url, json=payload, headers=headers, verify='/Users/TAHV/Downloads/cloud-twistlock-com-chain.pem')
In Safari:
In Google Chrome:
In Firefox:
12-15-2022 11:56 AM - edited 12-15-2022 12:01 PM
Your answer is correct.
Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration
https://github.com/PaloAltoNetworks/prismacloud-api-python
They may be of use to you. They are very similar in feature set. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.
Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.
12-15-2022 12:01 PM - edited 12-15-2022 12:03 PM
*Moved Reply to accepted answer for visibility*
Your answer is correct.
Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration
https://github.com/PaloAltoNetworks/prismacloud-api-python
They may be of use to you. They are very similar in feature set and the configuration files are cross-compatible. They are both updated regularly. I am partial to PCPI as I created it. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.
Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
