question

petermeagher avatar image
0 Votes"
petermeagher asked shashishailaj commented

Error when deploying Defender for Servers on an AWS EC2 Instance running Linux

HI,
Is anyone familiar with the way to resolve this when running Defender for Servers - deployed on an AWS EC2 Instance with Linux OS.

We are getting the following error:

Microsoft Root Certificate Authority 2011 certificate is not a trusted root certificate authority when using Linux / Squid proxy: NET::ERR_CERT_AUTHORITY_INVALID

And then this message: "This server could not prove that it is winatp-gw-cus.microsoft.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection."

The feedback is that the Linux certification is not trusted.

What is the recommendation for overcoming this? Should we force the certificate to show trust?

azure-security-center
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@petermeagher , Which version of linux are you using ? Asking because Non-azure machine for azure security center need to be included using azure Arc . Ideally if the EC2 linux VMs are not customized , they should have a trusted root certificate store here you could add the Microsoft Root certificate and that should prevent the above error. If you manually add the certificate it should help . Please let us know if that worked for you or not . On azure VM images , this error would never be seen as the certificate store on the VMs would always contain the root cert . Please let me know if that solves the issue if not we will help you further on this.

Thank you.


1 Vote 1 ·

Thank you for sharing this info, Shashishailaj, the client has added the certificate as a trusted cert for SSL and it helps to overcome the problem. They are just wondering now if this is a good practice to follow. Should they just add a cert moving forward under these circumstances.

1 Vote 1 ·

I have posted the details as an answer below. You can surely add the root CA certificate if trusted root cert is not present in your OS image. If you have this issue while using defender for linux server then yes you can surely add these certificates without an issue.

0 Votes 0 ·

1 Answer

shashishailaj avatar image
1 Vote"
shashishailaj answered shashishailaj commented

@petermeagher ,
Thank you for your patience with us. Let me start with some background on why the root cert is needed and how the Trusted root certificate program works .

Why is the root certificate needed in the Trusted root store on any machine ?
Every Operating systems (OS) have a local certificate store where it stores Trusted CA Root certificates and trusted intermediate CA certificates. This helps in verifying the certificate chain by any application or other systems/services . For example If you open https://docs.microsoft.com in Microsoft Edge the browser will be presented with a server side certificate using which the docs.microsoft.com website will try to prove its identity (please check screenshot for reference). The edge browser will call the internal windows security APIs to query the trusted root store for every certificate in the certificate chain as you see in the picture till it reaches the root certificate . It will check multiple other attributes of the certificate like SAN name , key identifier etc. to see if the server certificate is valid and was actually provided by a valid root CA that the OS trusts already . In your case since the OS does not have the certificate that winatp-gw-cus.microsoft.com presents and hence you get the NET::ERR_CERT_AUTHORITY_INVALID error.

90444-image.png

How the Trusted Root certificate program works ? Reference
Most of the OS/device/platform software manufacturers contain list of CA certificates which are trusted by default. They run Trusted root certificate programs. Some of the most widely used OSes like windows , iOS , Android , oracle linux etc. have their own root certificate programs as listed below.

The above is just indicative list of most popular programs. There are other vendors who run similar programs. The companies who run Root Certificate authorities share their root CA certificate to the OS/software vendors by participating in the above programs and that is how the Root CA flow to the trusted store for every OS/software/device for end-users to use.

Some of the linux OS like debian use the trusted certificate authority list from the Mozilla root program. I am not sure which version of the linux you are using but as you have mentioned that adding the root certificate to the trusted store within the linux OS fixed the issue, so that tells us that the correct root certificate is not present in the trusted root store on the OS.

Placing root certificate within a trusted store in the OS helps applications or users to validate the certificates presented by any system/app/service and verify the chain upto one of the trusted root certificates. Ideally EC2 linux OS should have had the Microsoft CA certificate and I am not sure why that happened. It can only happen if the EC2 image is customized to remove any certificates or whichever root program they follow does not include all the recent trusted root CA certificate from widely used trusted root programs which every software vendor includes. AWS have their own root certificates but i was not able to find details about thier root Program. It may be something which is not published publicly .

Now coming to your question if this is a good practice to manually add certificates to trusted root or not ? I think in your specific case this is safe to add going forward as long as it is just for this root certificate from Microsoft . The only problem with adding a trusted root certificate manually is that you will need to verify the trusted root certificate yourself and if you are sure that its from the valid provider (like microsoft in this case) then you can safely add it . The onus to verify the security/identity of the certificate lies with the individual doing it . In your case , I would suggest to report this to amazon support so that they can update the certificates within their Linux images to fix this issue broadly for everyone who is trying to use defender for linux servers.

Hope the above provides detailed clarification as you requested. I have included multiple links and information may be a little more than you requested , yet I thought it would be good to add the details to make it more understandable. Should this information help , please do accept the post as answer for others searching for similar queries . In case of any further queries , let us know and we would be happy to answer them.




image.png (11.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What an awesome answer, thank you so much for the very insightful feedback and education in the process.
I really appreciate the information and time that you have taken to think this through. kudos to you Shashishailaj

1 Vote 1 ·

Thank you @petermeagher for the kind words. Much appreciated. We at Microsoft are committed to make the QnA community the go to place for any query related to our products and provide top notch experience to everyone on this community.

0 Votes 0 ·