Symptom

Security Intelligence URL feed download fails with error "Download unsucessful: SSL peer certificate or SSH remote key was not OK"

Conditions

The FMC won’t perform peer certificate verification but could error out if the hostname doesn’t match the certificate CN or if self-signed is used. Here are the list of coditions that would cause SI Feed failure for custom feeds. 1 - DNS hostname doesn't match the certificate CN hostname ins the Certificate Subject line. 2 - IP address is used instead of the hostname. 3 - Correct hostname is used for SI Feed but it doesn't match the CN in the certificate. Example: sifeed.company.com vs CN=sifeed. 4 - The SI Feed server is using Self-signed certificate or a certificate bundle. FMC does not support the use of certificate bundles or self-signed certificates. A local CA can be used to sign he cert and FMC won't complain, but if self-signed is used, the sI download might fail. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/objects-object-mgmt.html The following examples show how the hostname affects the feed: root@FMC1:/Volume/home/admin# wget 192.168.1.136 --2022-09-16 11:06:38-- 192.168.1.136/ Connecting to 192.168.1.136:443... connected. ERROR: cannot verify 192.168.1.136's certificate, issued by 'CN=sifeed': Self-signed certificate encountered. ERROR: certificate common name 'sifeed' doesn't match requested host name '192.168.1.136'. To connect to 192.168.1.136 insecurely, use `--no-check-certificate'. root@FMC1:/Volume/home/admin# >> We see two issues here ERROR: cannot verify 192.168.1.136's certificate, issued by 'CN=sifeed': ERROR: certificate common name 'sifeed' doesn't match requested host name '192.168.1.136'. Root Cause: 1 - hostname doesn’t match the CN 2 - Certificate not trusted/can’t verify root@FMC1:/Volume/home/admin# wget sifeed.fp.lab --2022-09-16 11:08:38-- sifeed.fp.lab Resolving sifeed.fp.lab... 192.168.1.136 Connecting to sifeed.fp.lab|192.168.1.136|:443... connected. ERROR: cannot verify sifeed.fp.lab's certificate, issued by 'CN=sifeed': Self-signed certificate encountered. ERROR: no certificate subject alternative name matches requested host name 'sifeed.fp.lab'. To connect to sifeed.fp.lab insecurely, use `--no-check-certificate'. Root Cause: The certificate CN matched the hostname but peer Cert verification failed due to the mismatch between sifeed.fp.lab to 'sifeed' The following shows skipping certificate verification while using the correct hostname based on certificate CN. root@FMC1:/Volume/home/admin# wget sifeed --no-check-certificate --2022-09-16 11:16:15-- sifeed Resolving sifeed... 192.168.1.136 Connecting to sifeed|192.168.1.136|:443... connected. WARNING: cannot verify sifeed's certificate, issued by 'CN=sifeed': Self-signed certificate encountered. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: 'feed.html.5' feed.html [ ] 3.77K --.-KB/s in 0.001s 2022-09-16 11:16:15 (2.59 MB/s) - 'feed.html' saved [3859]

Workaround

Based on the openssl command output from the FMC CLI, please update the SI feed hostname and check to see if the issue persists. If the issue persists contact TAC referencing this defect. >expert $sudo su # openssl s_client -showcerts -connect :443 As example openssl s_client -showcerts -connect localfeed.local:443 Please note that FMC does not support use of certificate bundles or self-signed certificates. A local CA can be used to sign he cert and FMC won't complain, but if self-signed is used, they sI download might fail. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/objects-object-mgmt.html

Further Problem Description