This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ww1m6
Explorer
‎2024-08-30 07:30 AM

Certificate Signed By Unknown Authority

Hey there fellows!

So I have been trying to set up integration between the Skyline and Mimir, so far so good.
Following the post : Custom-http-Header-for-Export-and-HTTPS-without-authentication/  and the recommendation of Elad_Chomsky, I have tried setting it up with the following config file:

 

{
  "enabled": true,
  "export-targets": {
    "add/remove": [
      {
        "client-auth": {
          "token": {
            "custom-header": {
              "key": "X-Scope-OrgID",
              "value": "1"
            }
          }
        },
        "enabled": false,
        "server-auth": {
          "ca-public-key": {
            "type": "PEM-X509",
            "value": "-----BEGIN CERTIFICATE-----BASE64TEXTHERE-----END CERTIFICATE-----"
          }
        },
        "type": "prometheus-remote-write",
        "url": "https://example.com/api/v1/push"
      }
    ]
  }
}

 

The only problem I have ran into is the "ca-public-key", I tried putting the Certificate of the Mimir or even the CA the signed the Mimir certificate but looking at "otelcol.log" I see the following error message:

 

"Exporting failed. the error is not retryable. Dropping data.   {"kind": "exporter", "date_type": "metrics", "name": "prometheusremotewrite", "error": "Permanent error: Permanent error: Post \"<usl-of-mimir>/api/v1/push\": x509: certificate singed by unknown authority (possibly because of \ "crypto/rsa: verification error\" while trying to verify candidate authority certificate \"<Root CA Name>\")", "dropped_items": 737}​

 

Any advice? Or idea what can I do? what can I check?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-08-30 10:29 AM

Have you included the entire CA chain (not just the root)?

ww1m6
Explorer
‎2024-08-30 11:13 AM
In response to PhoneBoy

My certificate tree in the mimir is :

RootCA ---> Intermediate CA ---> The Mimir Certificate

I have tried putting the Mimir/Intermediate alone each time, I couldn't find a good explanation by Checkpoint about what to put there. 
How should I do it?

Just combine both the root and the intermediate ? 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-30 12:20 PM
In response to ww1m6

The value should contain the entire certificate chain so it can be correctly validated.
That means the public certificate of the Root CA followed by the public certificate of the Intermediate CA followed by the Mimir Certificate.
This is not Check Point specific.

ww1m6
Explorer
‎2024-08-30 01:59 PM
In response to PhoneBoy

Still no go, I tried every combanations,

root + inter + mimir /  root+ inter / inter / root/ inter + mimir / mimir = x509 certificate singed by unknown authority (possibly because of \"crypto/rsa: verification error\"  while trying to verify candidate authority certificate \"<Intermediate CA name>\")"

public-ca-key:

value: "-----BEGIN CERTIFICATE-----<RootCA>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<InterCA>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<MimirCERT>-----END CERTIFICATE-----"

I'm really lost here.

0 Kudos
ww1m6
Explorer
‎2024-08-30 11:51 AM
In response to PhoneBoy

Is the CA has to be on the CA's in the Gateways?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events