Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vinceneil666
Advisor
Jump to solution

AppSec, certificate issues.

We have set up the AppSec solution, running on a couple of machines in AWS. (we used the cloud formation template). We got it up an running fine, and went trough the setup of getting certificates from the AWS cert store.

We set up our first website, and everything was working, I see the logs verify that we get the certificate from the AWS store.. everything i all ok ! It was a pretty straight forward setup and workes fine for that one site..

Then, after some time we where adding in a few more sites with different certificates. We did exactly the same.. no changes in IAM roles.. Same as before. (we did it several times, since we thought we did something wrong)

But we keep getting errors:

{"eventTime": "2022-12-09T08:04:31.677","eventName": "The AppSec Gateway's certificate for URL '<https://xxx.xxxx.xxx.xxx.xxxx>' could not be found in cloud certificate store","eventSeverity": "Critical",

 

{"logIndex": 8,"eventRemediation": "Verify the relevant certificate exists in the appropriate location. error: <Host xx.xxxx.com could not be matched to any of the certificates>","eventObject":
{"notificationConsumerData": {"certificationStatusNotificationConsumers": {"assetId": "xxxxxa-c145-xx8c-53d6-xxxxxxx2c","profileId": "42xxxx3-2362-5xxx-498b-1xxxxxce","certType": "Aws","url":
"https://xxx.xxx.xxx.xxx","message": "The AppSec Gateway's certificate for URL '<https://xx.x.x.xx.xxx.xx>'
could not be found in cloud certificate store"}}},"notificationId": "41xxxb1-e9bc-4xxx3-8xxb-xxxxxxxxb"}}

 

The event viewer in the Infinity portal also tells me to check the IAM roles.

 

The thing is, that we have gone trough this several times. And we have also brought in consultants on certificates and IAM in AWS. We are totaly unable to find anything wrong. (in addition we have restarted services, rebootet the servers...)

Refering to the APP Sec documentation, we do get a few commands relating to cpnano - but can anyone tell me if there is some place that describes a bit more advanced tshoot method ? Or - even better, has anyone had same issue ? 

 

To note.. the original site we got working - is still working. We have also reached out to Check Point and is waiting for a remote session.

0 Kudos
1 Solution

Accepted Solutions
vinceneil666
Advisor

So TAC got this resolved, and it came down to the tag in AWS secrets manager was written as "Private Key", not as "private key" - this actually created a world of problems, crashing the reverse proxy running on the app sec. Tnx to TAC for the major digging that was needed to figure that out.. and a fix that's probably on the way very soon ! 🙂 

View solution in original post

14 Replies
the_rock
Legend
Legend

I read your post carefully and here is my logic on this. Im not by any means AWS cloud expert at all, but based on error you indicated

"The AppSec Gateway's certificate for URL '<https://xxx.xxxx.xxx.xxx.xxxx>' could not be found in cloud certificate store","eventSeverity": "Critical",

to me, that clearly complains that it cannot locate the proper cert anywhere. Now, I know you said you guys broght in consultant to check on this, but can you maybe verify where the cert is located for the initial site that does work?

0 Kudos
vinceneil666
Advisor

yes, we have done this. And its where its supposed to be, and where the new ones are. Also we keep refering to:
https://appsec-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-mac...

The error message is pretty clear, so I do agree - might be a typo somewhere or something. But we have been trough it 4 times now.. 

0 Kudos
the_rock
Legend
Legend

Ok, fair enough! Maybe follow what @yuvalmamka sent, that looks promising.

Andy

0 Kudos
yuvalmamka
Employee
Employee

Hey,

Do the other certificates contain SAN (Subject Alternative Name)?
AppSec is using SAN to fetch the relevant certificate to the correct asset.

You can also try to run CertVerify on the certificate and understand from the outcome if there is an issue with the certificate itself.

I would also check that the correct tag is in place with the correct ARN.

vinceneil666
Advisor

Thank you for the tip - I will get that checked asap !

vinceneil666
Advisor

hi,

So the site that is working has a wildcard cert - so that one does not have a SAN. 

The site that is not working, do have a SAN.

0 Kudos
the_rock
Legend
Legend

Well, thats interesting that wildcard cert would work...how many hostnames are protected by the cert for the site thats failing?

0 Kudos
vinceneil666
Advisor

The wildcard is, as of now, protecting two sites.
Then I have two sites, with two different certs, that are both failing.

Could it be the use of the wildcard that messes things up ? I have considered removing it... (we are not in production yet for these sites.)

0 Kudos
yuvalmamka
Employee
Employee

Hey,

The wildcard is supported, so I don't think this can mess things up.
It is weird, but, my rule is: if it works, don't touch 🤐

Did you double check that the correct tag is attached with the correct ARN?

0 Kudos
vinceneil666
Advisor

I assumed that this was the tags in the Secrets Manager in AWS ? - if so, yes, those are verified.

0 Kudos
the_rock
Legend
Legend

Ok, so apart from SAN and one being wildcard cert, you guys dont see any other differences?

0 Kudos
yuvalmamka
Employee
Employee

Yes. Ok, so it looks weird according to what you described.

Let's look further into it tomorrow on the remote session that you scheduled.

vinceneil666
Advisor

So TAC got this resolved, and it came down to the tag in AWS secrets manager was written as "Private Key", not as "private key" - this actually created a world of problems, crashing the reverse proxy running on the app sec. Tnx to TAC for the major digging that was needed to figure that out.. and a fix that's probably on the way very soon ! 🙂 

Blason_R
Leader
Leader

Hmm  - Nice learning for us as well. I set all appsec on my customized nginx reverse proxy and using nginx nano agent hence managing the certs on my Rev Proxy box.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.