Re: Skyline with TLS

Sajgon107 · ‎2024-07-23

Hello guys,

im trying to setup skyline setup using TLS. I've tested out that payload with no TLS is working and I see stats in my grafana.

I followed initial setup from - https://github.com/mmanningcp/skylineinstructions/tree/main?tab=readme-ov-file.

I configured basic auth base on the instructions from - https://prometheus.io/docs/guides/basic-auth/. I've created cert and key using this config from Gaia OS device:

[ req ]
default_bits = 4096
default_md = sha256
req_extensions = v3_req
distinguished_name = dn
prompt = no

[ v3_req ]
subjectAltName = @alt_names

[ dn ]
C =
ST =
L =
O =
OU =
CN = localhost

[ alt_names ]
DNS.1 = localhost
DNS.2 = skyline.local
IP.1 = 127.0.0.1
IP.2 = x.x.x.x

I've moved these 2 files into my prometheus/grafana server and put certificate in to the /usr/local/share/ca-certificates/. I modified prometheus service config file:

ExecStart=/home/user/prometheus-2.38.0.linux-amd64/prometheus --config.file=/home/user/prometheus-2.38.0.linux-amd64/prometheus.yml --web.enable-remote-write-receiver --web.config.file=/home/user/prometheus-2.38.0.linux-amd64/web-config.yml,

web-config.yml:

tls_server_config:
cert_file: /home/user/certs_gaia/mycert.crt
key_file: /home/user/certs_gaia/key.unencrypted.key

basic_auth_users:
admin: $2b$12$OLLx6DILLgx/6Djs9ILMeOYMt/xxxxxx

Prometheus config file (prometheus.yml) contains:

# Remote write configuration
remote_write:
- url: "https://x.x.x.x:9090/api/v1/write"

In attachment you can see settings of grafana data source (prometheus), i used certificate created in the gaia device (in section CA cert) While accessing prometheus gui Im asked to enter login and password so I assume that basic auth is working fine. I used this payload for checkpoint device (cert is in one line):

{
"enabled": true,
"export-targets": {
"add": [
{
"client-auth": {
"basic": {
"username": "admin",
"password": "password"
}
},
"enabled": true,
"server-auth": {
"ca-public-key": {
"type": "PEM-X509",
"value": "-----BEGIN CERTIFICATE-----MIIFfzxx==-----END CERTIFICATE-----"
}
},
"type": "prometheus-remote-write",
"url": "https://x.x.x.x:9090/api/v1/write"
}
]
}
}

After executing sklnctl export --set "$(cat /home/admin/tls.json) I see:

{"message": "Operation has finished successfully"}.

Im still not getting any data to my Grafana, see attachment for error. In prometheus logs (journalctl -u prometheus.service) I see:

ed HTTP status 401 Unauthorized: Unauthorized"
Jul 23 18:34:11 skyline prometheus[194707]: ts=2024-07-23T16:34:11.665Z caller=stdlib.go:105 level=error component=web caller="http: TLS handshake error from checkpoint_ip:42536" msg="remote error: tls: bad certificate"

As well there is an error on prometeus gui - Targets. Using command - curl -u admin https://localhost:9090/metrics from prometheus CLI after entering password i got expected response as written in https://prometheus.io/docs/guides/basic-auth/.

Can you please suggest me some steps how to troubleshoot further this issue?

Thanks a lot.

Elad_Chomsky · ‎2024-07-25

Hi @Sajgon107 ,

Please open a support ticket for CheckPoint, so we can assist you directly to troubleshoot the issue.

GHaider · ‎2024-07-31

the ca-public-key property must contain the root-ca of the certificate the promethous server is presenting to the client

root-ca <--this one has to be used
--intermediate-ca
-----prometheus-server-certificate

...also had problems with this, but i have exactly your setup running fine...

Are you a member of CheckMates?

Skyline with TLS