CA Issues on AWS R81.20 Manager

cdav · ‎2024-02-21

I have deployed an EC2 manager from market place image in AWS. I keep running into an issue where it would appear the CA services on the host are not running. Connecting via SmartConsole errors with "Failed to download CRLs". No service appears to be listening on 18264. For example if i attempt to curl google I cannot validate TLS. The same completes if i ignore TLS errors.

The instance is deployed via terraform albeit not directly from the CheckPoint supplied template. It has been extracted but gets passed all the correct and relevant parameters. The cloud_config.log and var/log/messages indicate boot and auto config ok.

[Expert@CP-Management:0]# curl_cli https://www.google.ocm
curl: (6) Couldn't resolve host 'www.google.ocm'
[Expert@CP-Management:0]# curl_cli https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Does anyone have any suggestions?

Thanks

Chris_Atkinson · ‎2024-02-21

Is it the base R81.20 or with some Jumbo take applied?

CCSM R77/R80/ELITE

cdav · ‎2024-02-21

No hot fixes applied. Booted straight from AMI R81.20-BYOL Management. Runs first time wizard with config from cloud-init/cloud_config

Chris_Atkinson · ‎2024-02-21

I'd suggest applying the latest recommended JHF and if the problem persists consulting TAC.

CCSM R77/R80/ELITE

the_rock · ‎2024-02-21

Agree, good point.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2024-02-21

I did this twice on aws, but mind you from actual cp template and all worked fine. Not sure, but seems the way you did it definitely differs.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

cdav · ‎2024-02-23

To add to this I have now deployed from the CheckPoint provided TF template for management instance and run into the same error.

the_rock · ‎2024-02-23

If thats the case, may need to open TAC case to check.

Andy

Best,
Andy
"Have a great day and if its not, change it"

Lesley · ‎2024-02-23

You need to open more ports. Check it out here:

https://support.checkpoint.com/results/sk/sk119134

-------
Please press "Accept as Solution" if my post solved it 🙂

cdav · ‎2024-02-24

Hi Lesly,

I have looked at this article but it doesnt fit. Security groups for the mgmt ec2 are deployed as per template and have the 3 required ports open. Instance used to connect via SC is in the same subnet as Mgmt EC2 and has access on all ports to Mgmt host.

[Expert@mgmt-tf:0]# ss -ntlp | grep '18264\|19009\|18190'
LISTEN 0 20 *:18190 *:* users:(("fwm",pid=5517,fd=42))
LISTEN 0 5 *:18264 *:* users:(("cpca",pid=8137,fd=11))
LISTEN 0 50 *:19009 *:* users:(("java",pid=5802,fd=462))

[Expert@mgmt-tf:0]# curl_cli https://checkpoint.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Are you a member of CheckMates?

CA Issues on AWS R81.20 Manager