Dear Luigi,
We are having a lot of issues with MineMeld, I hope you can help.
We are deploying MineMeld with our customers on their own vmware environment in a DMZ zone with NO DHCP.
I know you prefer to use AutoFocus, MineMeld in AWS, MineMeld on Ubuntu or MineMeld with DHCP, but this is not always feasible for our customers.
In any case here is the setup we follow:
Installation
Download the fast-install OVA file. This has the needed iso-file bundled in https://s3-eu-west-1.amazonaws.com/minemeld-dist/0_9/minemeld-vm-0.9.10-1build1.ova
Deploy ova in VMWare All settings can be kept there default values
Boot the MineMeld instance and let it fail the initialization. It will take some time as it searches in vain for a DHCP server
Login to the console of the Virtual Machine with credentials: username: ubuntu password: rsplizardspock
Configure a static IP for your MineMeld
$ sudo vi /etc/network/interfaces.d/eth0.cfg
auto eth0 iface eth0 inet static address x.x.x.x netmask x.x.x.x gateway x.x.x.x dns-nameservers x.x.x.x
Press "esc" and ":wq" to save the file in vi.
Then enter following command. This will reset a value so MineMeld is correctly installed on next reboot.
$ sudo rm -rf /var/lib/cloud/*
Reboot the device
$ sudo shutdown -r now
The instance will reboot and (re)start the MineMeld installation.
Installation is now done. You can access the Gui https://x.x.x.x
This works perfectly.
After install we can access the Gui
We can reboot the appliance via CLI, or just in VMWare give it a hard power-off and start up -> the MineMeld will run again
NEXT
Since PanOS 7.1 and higher we need to install a custom certificate on the MineMeld to get it to connect
For this we follow the following steps
Create a new self-signed CA certificate on the Palo Alto firewall for MineMeld
Export both the public and private certificate off the firewall A) Export the public part (Base64 PEM) >>> certificate.crt B) Export the private part (Base64 PEM + select "Export private key") >>> certificate.pem You will need to provide a password when selecting the private key
Login to MineMeld via CLI (SSH or VMWare console) and Stop nginx
$ sudo service nginx stop
Replace the files with a valid certificate and private key
A) First rename the original certificate files:
$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer.bck $ sudo mv /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.bck
B) Using WinSCP, copy the newly created certificates to the "/tmp" folder Then copy the new certificates to the NGINX directory:
$ sudo cp /tmp/xxx.crt /etc/nginx/minemeld.cer $ sudo cp /tmp/xxx.pem /etc/nginx/minemeld.pem
C) Now restart the MGINX and enter the password for private key (created in step 2.B)
$ sudo service nginx start
This works perfectly.
We can now see that the MineMeld is using the new certificate and connects to the PaloAlto.
BUT
If now we shutdown the MineMeld, either via de CLI (sudo shutdown) or just a hard power off in VMWare,
If we then boot the appliance again it will not boot anymore but get stuck at:
You can still login using CLI:
But the cli keeps displaying “initializing minemeld”…..
If we press CTRL+C we cancel this and can access the CLI
ubuntu@minemeld:~$ sudo service nginx status
* nginx is not running
If I then do sudo service nginx start and enter the PEM pass phrase again, the service run again
ubuntu@minemeld:~$ sudo service nginx start
Enter PEM pass phrase:
ubuntu@minemeld:~$ sudo service nginx status
* nginx is running
Now we can access the GUI again, BUT
When I try to login via GUI I get following errors even before I try to enter credentials, just opening the page
Then when I try my credentials
Even the default credentials….
The only way to resolve this is to delete the appliance and start all over again…
Is this something known bug? Are we doing something wrong?
Can you help us?
This issue can easily be reproduced using the steps above.
I have a “broken” minemeld running in our VM if you need more info / files.
Also, a backup of the config taken via de GUI does not include the new certificate installed. Is there a way to export all the config, including the IP config, cert, … so we can restore the machines faster / easier?
... View more
