Background

This article covers 3 separate but overlapping issues around a GPG key, SSL Certificate, and the AnonVPN. This is a critical update that you should plan to apply as soon as possible.  You can expect it to take somewhere between five minutes to no more than fifteen minutes per appliance.

GPG Key

Actions Issued from the Lastline backend to appliances are verified with a GPG key. This signature verifies that updates applied on customer appliances are coming from the Lastline update infrastructure, and it applies an additional level of security on top of the SSL encryption used to transmit commands.  

SSL Certificate

In older appliances, our Self-Signed Certificate was signed by an older Lastline Root certificate. For the child appliances to trust communication with the manager the entire certificate chain needs to be trusted. This older root certificate has expired (expired April 18th, 2022) causing the child appliance to not trust communication with the manager in older installations.

AnonVPN

The AnonVPN Certificate was signed by an older Lastline Root certificate which has expired. The AnonVPN is used by the Sandbox to avoid routing potentially malicious traffic through a customer's network.

Impact 

What are the GPG symptoms?
For Lastline hosted sensors, on-premise manager, analyst, and pinbox appliances that do not use the correct GPG key, there is no way to reconfigure them through an update to a new version. Attempts to reconfigure or update will result in appliances being stuck in a "pending" state. Additionally, appliances will not auto-upgrade to new releases. 

What are the SSL symptoms?
On-premise manager, analyst, and pinbox appliances that do not use the correct root certificate will cause child appliances to report as offline because communications between appliances over port 443 will be unable to be established. Hosted Sensors are not impacted

What are the AnonVPN symptoms?
On-premise manager, analyst, and Pinbox appliances that do not use the correct root certificate will show an error about being unable to establish a connection to the AnonVPN on llanonvpn0 interface. This only applies to customers using the default Lastline VPN connection and does not apply to appliances configured with a custom VPN connection or Honeypot.  Hosted Sensors are not impacted. The appliance Overview and Status screen would report the error:

Traffic Routing Check Upstream: Running check on interface llanonvpn0 reported error, repair failed: Failed to resolve interface address

Which appliances are impacted?
You will need to perform the steps below on all your Hosted Sensor, On-Premise Manager, Standby Manager, Analyst, and Pinbox appliances to ensure that they have the correct GPG key. While only On-Premise Managers, Standby Manager, Analyst, and Pinbox appliances need to check for the correct SSL certificate.

You do NOT need to take any action for your on-premise Lastline engines, sensors, or data nodes. These appliances are not impacted by this update.

Update Process

How to verify if an appliance has one of the 3 issues above?
The script below will automatically tell you if your GPG key or SSL cert is the correct version. It will even update the key/cert if you do not have the latest version.

To update the key:

1. If you do not have a Proxy, please skip to step 2.
   • For proxy environments, the environment variable https_proxy needs to be set by running:
      export https_proxy=http://PROXY_IP:PORT
2. Download script from our backend; Verify if your  key/cert needs an update
   • cd /tmp; wget https://update.lastline.com/updates/distros/update-sslcert-gpgkey.sh
   • sudo sh /tmp/update-sslcert-gpgkey.sh
3. Run the following command to update your key/cert:
   • sudo sh /tmp/update-sslcert-gpgkey.sh update
4. If needed and the appliance is still in a non-OK state, we recommend Re-Triggering Configuration from the Lastline Web UI using these steps:
   • Navigate to the "Admin" tab
   • Navigate to the "Appliances" section
   • On the Manager/Pinbox/Analyst appliance select the "Quick Links" dropdown and "Re-trigger configuration"
5. Ensure the Hosted Sensor upgrades to 1320.1 to ensure you will not have any problems with this issue in the future. 
   • If your Hosted Sensor report 1120 as the latest version. Please perform the Bionic upgrade as documented here.
   • Upgrading to any version older than 1320.1 will require this script to be run again.
6. On-Premise 9.5.3/appliance version 1120.3 is the release where the GPG key was updated to address these issues.
   • Upgrading to any other version before 9.5.3 will require this script to be run again.
   • If your On-Prem Manager/Analyst/Pinbox report 1110.8 as the latest version. Please perform the Bionic upgrade as documented here .