Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cdav
Contributor

CA Issues on AWS R81.20 Manager

I have deployed an EC2 manager from market place image in AWS. I keep running into an issue where it would appear the CA services on the host are not running. Connecting via SmartConsole errors with "Failed to download CRLs". No service appears to be listening on 18264. For example if i attempt to curl google I cannot validate TLS. The same completes if i ignore TLS errors.

The instance is deployed via terraform albeit not directly from the CheckPoint supplied template. It has been extracted but gets passed all the correct and relevant parameters. The cloud_config.log and var/log/messages indicate boot and auto config ok.

[Expert@CP-Management:0]# curl_cli https://www.google.ocm
curl: (6) Couldn't resolve host 'www.google.ocm'
[Expert@CP-Management:0]# curl_cli https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Does anyone have any suggestions?

Thanks

 

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee

Is it the base R81.20 or with some Jumbo take applied?

CCSM R77/R80/ELITE
0 Kudos
cdav
Contributor

No hot fixes applied. Booted straight from AMI R81.20-BYOL Management. Runs first time wizard with config from cloud-init/cloud_config 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

I'd suggest applying the latest recommended JHF and if the problem persists consulting TAC.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Agree, good point.

Best,

Andy

0 Kudos
the_rock
Legend
Legend

I did this twice on aws, but mind you from actual cp template and all worked fine. Not sure, but seems the way you did it definitely differs.

Best,

Andy

0 Kudos
cdav
Contributor

To add to this I have now deployed from the CheckPoint provided TF template for management instance and run into the same error.

0 Kudos
the_rock
Legend
Legend

If thats the case, may need to open TAC case to check.

Andy

0 Kudos
Lesley
Leader Leader
Leader

You need to open more ports. Check it out here:

https://support.checkpoint.com/results/sk/sk119134

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
cdav
Contributor

Hi Lesly,

 

I have looked at this article but it doesnt fit. Security groups for the mgmt ec2 are deployed as per template and have the 3 required ports open. Instance used to connect via SC is in the same subnet as Mgmt EC2 and has access on all ports to Mgmt host.

[Expert@mgmt-tf:0]# ss -ntlp | grep '18264\|19009\|18190'
LISTEN 0 20 *:18190 *:* users:(("fwm",pid=5517,fd=42))
LISTEN 0 5 *:18264 *:* users:(("cpca",pid=8137,fd=11))
LISTEN 0 50 *:19009 *:* users:(("java",pid=5802,fd=462))

[Expert@mgmt-tf:0]# curl_cli https://checkpoint.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.



Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.