Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Mentor
Mentor

R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Hi folks

just a quick one but to some extent complicated thing: Little background though.

1. R80.10 Standalone Appliance (all-in-one) as usual
2. no PKI done for either VPN or MAB (MAB is not in use)
3. Gaia Portal has typical per-ip Cert error when you try to log in - that's normal

Research:

1. replace files at

/web/conf/server.crt
/web/conf/server.key

with your own one from your *.domain.com set (received as issued with Public CA)

based on sk109593

- result: Tomcat does not wake up at all making your GAIA portal unusable

2. replacing above files is not enough as long as your $CPDIR/conf/openssl.cnf has no CSR issued within the shell (of course not as the CSR was done separately on different device in order to make wildcard cert!)
3. I see no path for importing wildcard cert without generating csr on particular appliance - do you?

GOAL:

1. have all GAIA portal(s) from each appliance within the network using same wildcard cert already in hand from Comodo.

---

any ideas/tips/hints chaps?

much appreciate your assistance as always (PhoneBoy especially) 🙂

Cheers

Jerry

Jerry
0 Kudos
71 Replies
Bryce_Myers
Collaborator

And just to confirm -- the only files you tried loading into Checkpoint was the cert and key as server.crt and server.key?

0 Kudos
Jerry
Mentor
Mentor

yes precisely Bryce Smiley Happy replacing an original one with crt and key from my wildcard set (pem format)

Jerry
0 Kudos
Bryce_Myers
Collaborator

If you run :

openssl x509 -in comodo.crt -noout -text

 

Do you receive an "unable to load certificate" error?

0 Kudos
Jerry
Mentor
Mentor

nop even worse, command not found

Jerry
0 Kudos
Bryce_Myers
Collaborator

Oh - I think if you are running it from Gaia - it would be cpopenssl instead of openssl.

0 Kudos
Jerry
Mentor
Mentor

Last login: Fri Aug 18 21:16:43 2017 from ...

# cpopenssl x509 -in comodo.crt -noout -textError opening Certificate comodo.crt

4158806172:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('comodo.crt','r')

4158806172:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:

unable to load certificate

#

Jerry
0 Kudos
Jerry
Mentor
Mentor

any clue Bryce what would be the cause of the discrepancy here?

I was having some rough time last 2 days having lots of stuff to work on but I'm happy for us to come back to the topic should you find a time for it I'd definitely appreciate that a lot.

Cheers

Jerry

Jerry
0 Kudos
Bryce_Myers
Collaborator

Jerry --

Sorry I took a little absence recently.  I would love to help you out some more if you're still working on your certificate situation.

Here is a brief note I wrote up as I understand the certificate installation process:

There are basically 2 ways that Checkpoint serves web pages.  The first is just a standard apache web instance, and the second is multi-portal – which is basically a reverse proxy to multiple apache instances.

 

                Multi-Portal

                                Checkpoint enables multi-portal if there is more than one apache instance that needs to be served

 

                                Most blades have portals associated and will use the multi-portal daemon ->

                                                UserCheck:

 

Application Control

URL Filtering

Data Loss Prevention

Anti-Virus

Anti-Bot

Threat Emulation

Threat Extraction

 

SSLVPN:

 

Mobile Access

 

NAC:

 

Identity Awareness

 

                Standard Apache Instance

                                These blades don’t have extra portals associated with them ->

                                                Firewall

IPSec VPN

IPS

Monitoring

QoS

 

 

So now with a brief understanding of Checkpoint’s web instance, this will influence how the certificate install should work.

 

 

1 – Multi-Portal is enabled because at least one of the blades listed above under “Multi-Portal” is enabled, or has ever been enabled.

 

                Use the Checkpoint SmartDashboard Mechanism to install the certificate

2 – Multi-Portal isn’t enabled

 

                Use the /web/conf/server.crt and /web/conf/server.key files to control the apache instance certificate

0 Kudos
Jerry
Mentor
Mentor

now I've got an outstanding result in Chrome (I've replaced .crt and .key files with those generated from your advice and ... see below Bryce:

Your connection is not private

Attackers might be trying to steal your information from cp.checkpoint.xxx (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

Subject: *.checkpoint.xxx

Issuer: *.checkpoint.xxx

Expires on: Aug 15, 2027

Current date: Aug 17, 2017

PEM encoded chain:-----BEGIN CERTIFICATE-----
MIIDmzCCAoOgAwIBAgIJAKrmRPTtBnqfMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
BAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxHTAbBgNVBAMMFCouY2hlY2twb2ludC5uZXR3b3JrMB4X
-----END CERTIFICATE-----

now what you say?

Jerry
0 Kudos
Jerry
Mentor
Mentor

got all the time same lines:

from httpd2_error_log:

Mon Aug 14 11:20:58.831634 2017] [cgi:error] [pid 14353] [client a.b.c.d:19533] AH01215: \tdname=/web/cgi-bin2: /web/cgi-bin2/monitor.tcl, referer: https://aaa.bbb.net:xxxx/_d54e31794befe040c551734b8072711c/cgi-bin/home.tcl

from /var/log/messages

none with errors

any clue Bryce ?

reg. p12 - I don't need that procedure as I've got in hand the entire PKI chain from which I've made my p12 hence I do not need to decrypt p12 in order to get the cert, csr, key and passphrase (obviously known). hope it make sense to you.

Jerry

Jerry
0 Kudos
Or_Lindner
Employee Alumnus
Employee Alumnus

Hi Jerry,

I can see that many Apache modifications have done on your environment.

It is possible to revert the configuration changes and performing the SK (steps 8-12) from the beginning?

Then, please activate Apache logs (if you need help with them please ask me) and check what is the error exactly.

Or

0 Kudos
Jerry
Mentor
Mentor

or I haven't left any mods to the env. I've rolled back everything I've tried so no panic, All is as genuine as possible. Still trying to work it out how to load wildcard cert so that it works on Portal.

It works like a charm for MAB and VPN also for HTTPS Inspection but does not for Gaia Portal ... I think I've loaded or still load wrong files. See my replies to Bryce.

Thanks for all your hints I do much appreciate them as always.

J.

Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events