Solved: AppSec, certificate issues.

vinceneil666 · ‎2022-12-14

We have set up the AppSec solution, running on a couple of machines in AWS. (we used the cloud formation template). We got it up an running fine, and went trough the setup of getting certificates from the AWS cert store.

We set up our first website, and everything was working, I see the logs verify that we get the certificate from the AWS store.. everything i all ok ! It was a pretty straight forward setup and workes fine for that one site..

Then, after some time we where adding in a few more sites with different certificates. We did exactly the same.. no changes in IAM roles.. Same as before. (we did it several times, since we thought we did something wrong)

But we keep getting errors:

{"eventTime": "2022-12-09T08:04:31.677","eventName": "The AppSec Gateway's certificate for URL '<https://xxx.xxxx.xxx.xxx.xxxx>' could not be found in cloud certificate store","eventSeverity": "Critical",

{"logIndex": 8,"eventRemediation": "Verify the relevant certificate exists in the appropriate location. error: <Host xx.xxxx.com could not be matched to any of the certificates>","eventObject":
{"notificationConsumerData": {"certificationStatusNotificationConsumers": {"assetId": "xxxxxa-c145-xx8c-53d6-xxxxxxx2c","profileId": "42xxxx3-2362-5xxx-498b-1xxxxxce","certType": "Aws","url":
"https://xxx.xxx.xxx.xxx","message": "The AppSec Gateway's certificate for URL '<https://xx.x.x.xx.xxx.xx>'
could not be found in cloud certificate store"}}},"notificationId": "41xxxb1-e9bc-4xxx3-8xxb-xxxxxxxxb"}}

The event viewer in the Infinity portal also tells me to check the IAM roles.

The thing is, that we have gone trough this several times. And we have also brought in consultants on certificates and IAM in AWS. We are totaly unable to find anything wrong. (in addition we have restarted services, rebootet the servers...)

Refering to the APP Sec documentation, we do get a few commands relating to cpnano - but can anyone tell me if there is some place that describes a bit more advanced tshoot method ? Or - even better, has anyone had same issue ?

To note.. the original site we got working - is still working. We have also reached out to Check Point and is waiting for a remote session.

vinceneil666 · ‎2022-12-21

So TAC got this resolved, and it came down to the tag in AWS secrets manager was written as "Private Key", not as "private key" - this actually created a world of problems, crashing the reverse proxy running on the app sec. Tnx to TAC for the major digging that was needed to figure that out.. and a fix that's probably on the way very soon ! 🙂

View solution in original post

the_rock · ‎2022-12-14

I read your post carefully and here is my logic on this. Im not by any means AWS cloud expert at all, but based on error you indicated

"The AppSec Gateway's certificate for URL '<https://xxx.xxxx.xxx.xxx.xxxx>' could not be found in cloud certificate store","eventSeverity": "Critical",

to me, that clearly complains that it cannot locate the proper cert anywhere. Now, I know you said you guys broght in consultant to check on this, but can you maybe verify where the cert is located for the initial site that does work?

Best,
Andy

vinceneil666 · ‎2022-12-14

yes, we have done this. And its where its supposed to be, and where the new ones are. Also we keep refering to:
https://appsec-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-mac...

The error message is pretty clear, so I do agree - might be a typo somewhere or something. But we have been trough it 4 times now..

the_rock · ‎2022-12-14

Ok, fair enough! Maybe follow what @yuvalmamka sent, that looks promising.

Andy

Best,
Andy

yuvalmamka · ‎2022-12-14

Hey,

Do the other certificates contain SAN (Subject Alternative Name)?
AppSec is using SAN to fetch the relevant certificate to the correct asset.

You can also try to run CertVerify on the certificate and understand from the outcome if there is an issue with the certificate itself.

I would also check that the correct tag is in place with the correct ARN.

vinceneil666 · ‎2022-12-14

Thank you for the tip - I will get that checked asap !

vinceneil666 · ‎2022-12-14

hi,

So the site that is working has a wildcard cert - so that one does not have a SAN.

The site that is not working, do have a SAN.

the_rock · ‎2022-12-14

Well, thats interesting that wildcard cert would work...how many hostnames are protected by the cert for the site thats failing?

Best,
Andy

vinceneil666 · ‎2022-12-14

The wildcard is, as of now, protecting two sites.
Then I have two sites, with two different certs, that are both failing.

Could it be the use of the wildcard that messes things up ? I have considered removing it... (we are not in production yet for these sites.)

yuvalmamka · ‎2022-12-14

Hey,

The wildcard is supported, so I don't think this can mess things up.
It is weird, but, my rule is: if it works, don't touch 🤐

Did you double check that the correct tag is attached with the correct ARN?

vinceneil666 · ‎2022-12-14

I assumed that this was the tags in the Secrets Manager in AWS ? - if so, yes, those are verified.

the_rock · ‎2022-12-14

Ok, so apart from SAN and one being wildcard cert, you guys dont see any other differences?

Best,
Andy

yuvalmamka · ‎2022-12-14

Yes. Ok, so it looks weird according to what you described.

Let's look further into it tomorrow on the remote session that you scheduled.

vinceneil666 · ‎2022-12-21

So TAC got this resolved, and it came down to the tag in AWS secrets manager was written as "Private Key", not as "private key" - this actually created a world of problems, crashing the reverse proxy running on the app sec. Tnx to TAC for the major digging that was needed to figure that out.. and a fix that's probably on the way very soon ! 🙂

Blason_R · ‎2022-12-21

Hmm - Nice learning for us as well. I set all appsec on my customized nginx reverse proxy and using nginx nano agent hence managing the certs on my Rev Proxy box.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Are you a member of CheckMates?

AppSec, certificate issues.