Some Linux clients are not able to connect to GlobalProtect after May 30 2020 if GP certificate is signed by Expired AddTrust CA

Some Linux clients are not able to connect to GlobalProtect after May 30 2020 if GP certificate is signed by Expired AddTrust CA

9876
Created On 06/03/20 17:52 PM - Last Modified 06/03/20 18:10 PM


Symptom
Some users may see issues with Linux clients not being able to connect to Global Protect after May 30 2020.
GP certificate is found to be cross signed by AddTrust CA. On May 30 2020, AddTrust CA and several cross-signed certificates got expired.

More details here:
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
 


Environment
This issue will be seen if:
1. GP certificate chain includes AddTrust CA and/or one of the expired intermediate CA.
and
2. Linux clients choose to chain using AddTrust CA(this behavior is mostly seen with openssl older than 1.1.1), or the new CAs are not updated in the Linux cert store.


Cause
Certificate chain imported for GP portal and gateway is configured incorrectly, such that it includes CA certificates such as AddTrust which expired on May 30 2020.

Resolution
The issue can be fixed by one of the following:
  • Fix the certificate chain of GP portal and gateway certificates to send only the unexpired certificates.
  • Delete the expired AddTrust root CA, and update the cert store to include new CAs in the Linux Trust CA store.
For the new unexpired CA certificates to be used in certificate chain, please check support sectigo link.
Since the GP is controlled by admin managing Palo Alto Networks firewalls, the best fix is to follow step#1,
unlike SSL Decryption where admin has no control over websites on the internet.

 


Additional Information
  • If you are unsure if your certificate chain carries expired CA, you may try one of the following as a quick check:
  1.  Take pcap and look for expiration date on CA certificates 
  2.  Analyse the GP URL using ssllabs, and look for section "Additional Certificates (if supplied)". If you find an expired certificate anywhere in the chain, this requires update to the cert chain imported for GP in the firewall.
  • If the issue is that the Linux client doesn't have latest updated CAs, please follow corresponding procedure to update latest CAs.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UHM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments