CWPP SSL Certificate, self-signed or chain

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CWPP SSL Certificate, self-signed or chain

L3 Networker

Given that I am programming a custom https client

When I invoke CWPP APIs over https

Then I encounter SSLErrors

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain

Where can I get a .pem or .crt file containing the CWPP certificates that I should trust?

 

 Although I found this resource in the documentation,  https://prisma.pan.dev/api/cloud/cwpp/defenders/#operation/get-defenders-install-bundle

 

When I invoke that API, I get this json...

$ curl -k \
>   -H "Authorization: Bearer $token" \
>   -H 'Content-Type: application/json' \
>   -X GET "${PRISMA_CLOUD_COMPUTE_CONSOLE_API_ADDR}/api/v1/defenders/install-bundle?consoleaddr=${PRISMA_CLOUD_COMPUTE_SVC_ADDR}"
{"wsAddress":"wss://us-east1.cloud.twistlock.com:443","installBundle":"eyJzZWNyZXRzIjp7fSwiZ2xvYmFsUHJveHlPcHQiOnsiaHR0cFByb3h5IjoiIiwibm9Qcm94eSI6IiIsImNhIjoiIiwidXNlciI6IiIsInBhc3N3b3JkIjp7ImVuY3J5cHRlZCI6IiJ9fSwiY3VzdG9tZXJJRCI6InVzLTEtMTExNTc0MzIzIiwiYXBpS2V5IjoiV09FcHBSWjlPZHk0UTgxeTNkNG5nUDdIbzJ6U2xVeWpqSy95VThJM2FwTVNhTXRDaXIrTnFXVkk5L2NsQUp5d0dFVThrTGNkQ1U1d1MvQnlUZUxXVXc9PSIsIm1pY3Jvc2VnQ29tcGF0aWJsZSI6ZmFsc2V9"}

What is that?  How is that "installBundle" intended to be used?

 

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
2 ACCEPTED SOLUTIONS

Accepted Solutions

L3 Networker

Ultimately, I want to tell python's requests package where to find the certificate chain file for this host.

  1. I added the verify parameter to my python statement / function-call.
  2. resp = requests.post(urljson=payloadheaders=headersverify='/Users/TAHV/Downloads/cloud-twistlock-com-chain.pem')

  3. Then... where do I get the certificate chain in a pem file format for prisma domain?
  4. Navigate my browser to the endpoint's URL, for example https://us-east1.cloud.twistlock.com/us-1-111574323/api/v1/defenders/install-bundle?consoleaddr=us-e...
  5. Then, save the certificate to a pem file.

In Safari:

  1. Click the padlock icon in the URL bar
  2. Click the Show Certificate button in the dialog that appears
  3. Click on the certificate icon, and drag it to a Finder window (or the Desktop)

In Google Chrome:

  1. Click the padlock icon in the URL bar
  2. If the dialog that appears has a "Connection is secure" line, click on that
  3. Click the "Certificate is valid" or "Certificate (Valid)" area in the dialog
  4. Click on the certificate icon, and drag it to a Finder window (or the Desktop)

In Firefox:

  1. Click the padlock icon in the URL bar 
  2. Click the "Show connection details" (right-arrow) button to the right of "Connection secure" in the dialog that appears
  3. Click the "More information" area 
  4. Under the Security tab, click the "View Certificate" button
  5. A "about:certificate?cert=..." browser tab will open; scroll down to the Miscellaneous section 
  6. In the "Download" line, click "PEM (cert)" to save the site's leaf certificate to your Downloads folder, or "PEM (chain)" to save the entire trust chain

     

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

View solution in original post

*Moved Reply to accepted answer for visibility*

Your answer is correct. 

Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration

https://github.com/PaloAltoNetworks/prismacloud-api-python

They may be of use to you. They are very similar in feature set and the configuration files are cross-compatible. They are both updated regularly. I am partial to PCPI as I created it. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.

Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.

Customer Success Engineer | Prisma Cloud Compute | Moderator

View solution in original post

5 REPLIES 5

Is your CWP Console self hosted or a SaaS tenant?

Is the machine attempting to make API calls using a VPN?

Are you able to generate a JWT Token successfully with the API? Or is the only operation that is failing the defender call you have included an example of?

"

Given that I am programming a custom https client

When I invoke CWPP APIs over https

Then I encounter SSLErrors
"

Can you include any API endpoints that you have attempted to call that result in you getting an SSL Error?



Customer Success Engineer | Prisma Cloud Compute | Moderator

  1. Saas Tenant
  2. Yes, my workstation connects via VPN.
  3. I can generate a token from bash via curl command; that error is from python.requests package invoking https://api.prismacloud.io/login

IMO, its a python configuration problem.  

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

L3 Networker

Ultimately, I want to tell python's requests package where to find the certificate chain file for this host.

  1. I added the verify parameter to my python statement / function-call.
  2. resp = requests.post(urljson=payloadheaders=headersverify='/Users/TAHV/Downloads/cloud-twistlock-com-chain.pem')

  3. Then... where do I get the certificate chain in a pem file format for prisma domain?
  4. Navigate my browser to the endpoint's URL, for example https://us-east1.cloud.twistlock.com/us-1-111574323/api/v1/defenders/install-bundle?consoleaddr=us-e...
  5. Then, save the certificate to a pem file.

In Safari:

  1. Click the padlock icon in the URL bar
  2. Click the Show Certificate button in the dialog that appears
  3. Click on the certificate icon, and drag it to a Finder window (or the Desktop)

In Google Chrome:

  1. Click the padlock icon in the URL bar
  2. If the dialog that appears has a "Connection is secure" line, click on that
  3. Click the "Certificate is valid" or "Certificate (Valid)" area in the dialog
  4. Click on the certificate icon, and drag it to a Finder window (or the Desktop)

In Firefox:

  1. Click the padlock icon in the URL bar 
  2. Click the "Show connection details" (right-arrow) button to the right of "Connection secure" in the dialog that appears
  3. Click the "More information" area 
  4. Under the Security tab, click the "View Certificate" button
  5. A "about:certificate?cert=..." browser tab will open; scroll down to the Miscellaneous section 
  6. In the "Download" line, click "PEM (cert)" to save the site's leaf certificate to your Downloads folder, or "PEM (chain)" to save the entire trust chain

     

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

Your answer is correct. 

Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration

https://github.com/PaloAltoNetworks/prismacloud-api-python

They may be of use to you. They are very similar in feature set. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.

Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.

Customer Success Engineer | Prisma Cloud Compute | Moderator
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!