Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Security Director] IPS Signatures fail to download

0

0

Article ID: KB35205 KB Last Updated: 04 Jan 2020Version: 3.0
Summary:

IPS Signatures fail to download after signatures.juniper.net server certificate expired, after replacement Junos Space Security Director needs to be updated to trust the updated certificate.

Symptoms:

When attempting to view the available signatures list, "No Data available" is seen.

If the problem continues after applying the updated certificate, and messages in server.log do not match those listed below, Junos Space is likely not allowed to access signatures.juniper.net.


Signature download jobs are failing with the following error:

URL is not accessible for url https://signatures.juniper.net/space/2/latest/manifest.xml

This can be verified in /var/log/jboss/servers/server1/server.log with the following command:

grep SSLSocketFactoryUtils /var/log/jboss/servers/server1/server.log  | grep java.security.cert.CertificateException

# When Certificate was expired on Juniper Site
2019-10-18 17:15:56,322 ERROR [net.juniper.jnap.sm.idp.utils.urlDataHandler.SSLSocketFactoryUtils] (Conn Thread) Certificate is not valid or expired.: java.security.cert.CertificateExpiredException: NotAfter: Thu Oct 17 23:59:59 UTC 2019

# After Certificate has been updated on signatures.juniper.net, but Security Director doesn't have the new certificate loaded to trust. (May also be caused by local ssl-proxy server in place, if problem continues after Juniper certificate is updated)
2019-10-25 15:39:20,283 ERROR [net.juniper.jnap.sm.idp.utils.urlDataHandler.SSLSocketFactoryUtils] (Conn Thread) Certificate not trusted.: java.security.cert.CertificateException: Certificate not trusted
Cause:

The signatures.juniper.net server certificate expired and has been updated.

Security Director versions released prior to Oct 17 23:59:59 UTC 2019 have the expired certificate built in, and do not trust the new certificate.

Solution:

Note: This is a partial fix. signatures.juniper.net is hosted in multiple regions and has different CA certificates. This certificate is only for one of the regions, so downloads only work part of the time depending on balancing.

NOTE: Development has created a patch that  works with multiple certificates, this patch will be published on the SD download page soon.  Contact JTAC if patch is needed sooner.


Temporary workaround:

Download the updated certificate directly from signatures.juniper.net via CLI or Web browser (process varies)

OR

Download here

sha1sum:
bc22434cf8ec70bfa0529caa7c15ab12e3c37865  SignaturesJuniperNetServerCertificate_20191025_0845.txt

Navigate to:  Administration, Signature Database, Signature Download Settings


Server Certificate, Browse to file


Then press OK.  The new Certificate will upload, and Security Director downloads the latest signature package.
Modification History:
2020-01-03: Minor edits.
2019-11-07: Added "partial fix" note to the Solution field.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search