Cortex
Cortex copied to clipboard
TheHive-Project
[BUG] Dockerized Cortex behind a Proxy with custom CA won't trust online analyzers
Using Dockerized Cortex behind a Proxy with custom CA
Request Type
Bug / Question
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | CentOS |
| OS version (client) | - |
| Cortex version / git hash | 31.1 |
| Package Type | Docker |
| Browser type & version | - |
Problem Description
I'm trying to setup a cortex instance on a CentOS server. I chose the dockerized version of Cortex and Analyzers. As the instance is behind a proxy, I Setup the right parameters to use it. With 'local' analyzers (MISP), analysis jobs work fine. When I used online analyzers, every one of them I tested so far ends up in a failure : self signed certificate in chain.
I used to have an .RPM installation and everything worked properly. I think it comes from my custom CA which isn't mounted on Cortex container.
Any advice on this ?
Steps to Reproduce
- Setup Cortex via docker method
- Configure a Proxy Cortex should use (custom CA for HTTPS)
- Online analyzers won't trust the domaines they try to reach.
Possible Solutions
I think I should mount my custom CA bundle on Cortex Container. But in my case (according tot he documentation), Cortex itself runs other containers. Does that mean I should also find a way to mount my own CA bundle on those container ?
Complementary information
No screenshot for now, maybe later
This will be difficult considering Python uses it's own certificate store and not the system level one, so even if you were able to mount/overwrite it in the container -- I'm not sure it would work.
Analyzers and Responders will get the CA certificate as a configuration item if it is configured in the Cortex GUI, but I believe it's up to the author to make sure they obey and use it for any HTTP connections.
It looks like MISP has configuration/respects the CA certificate setting between the analyzer configuration and PyMISP? https://github.com/TheHive-Project/Cortex-Analyzers/blob/bb193a5732dfe0132a9b17b53dfdcb7f56bbfbc4/analyzers/MISP/misp.py#L17
So it means in my Use Case the main Cortex Container should be able to run analyzers containers with CA set up on the fly ? (maybe rebuilding analyzers images would work, but I was looking for easy container images integrations on my platform...)
Seems like my problem is more like a Feature Request than a Bug then ? Will chaneg the tags and title :)
Thank's for your advice
It actually just occurred to me that you might be able to use an environment variable here, assuming that most of the analyzers use requests for HTTP calls.
REQUESTS_CA_BUNDLE per https://docs.python-requests.org/en/stable/user/advanced/#ssl-cert-verification.
Do you think that might be possible to mount and pass in to the analyzer container?
I think many of them use requests, so this might be a solution.
I tried to do something similar, haven't succeeded yet. One problem I might encounter is that Cortex main container is the one who launches analyzers containers. So to work properly I think Cortex container should mount and pass the REQUESTS_CA_BUNDLE when launching them.
To be tested soon :)
I think many of them use requests, so this might be a solution.
I tried to do something similar, haven't succeeded yet. One problem I might encounter is that Cortex main container is the one who launches analyzers containers. So to work properly I think Cortex container should mount and pass the REQUESTS_CA_BUNDLE when launching them.
To be tested soon :)
Hi @chberti , have you been able to resolve your issue ? We are also struggling on this issue and we are running the same setup as you described (Cortex container launching the cortex analyzer containers behind a company proxy) Regards
