Palo Alto Networks Knowledgebase: Error: Reverse proxy key XXXX.YYY doesn't match certificate isssued to <> in System Logs

Error: Reverse proxy key XXXX.YYY doesn't match certificate isssued to <> in System Logs

7426
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:06 AM
Policy
Symptom

Symptoms

With Inbound SSL decryption is enabled for server example.com, the system logs show:

 

reverse proxy key example.com doesn't match certificate issued to example1.com

Diagnosis

The above error indicates that the server certificate, including its private key, which was imported into the device for enabling inbound SSL decryption, does not match the certificate presented by the server. In this case, the server presented a certificate with name example1.com.



Resolution

To verify this behavior:

  1. Take a packet capture on the client or the firewall for the entire transaction: How to Run a Packet Capture
  2. Find the packet which contains the SSL handshake message “Certificate”  (Coming from Server to Client)
  3. Expand the packet, locate the certificate/s and take a note of the serialNumber of the Server Certificate.
  4. Or you can right click on the certificate that you want and select on Export selected packet bytes and then save it with a name.
  5. Match the serial number and validity in this certificate with the serial number/ validity of the certificate loaded into the firewall and used in the decryption policy.

NOTE:

If you are hosting multiple servers on the same machine 1.2.3.4 (same IP), then make sure that the SSL decryption policies are not configured with IP address as match condition.

 

For example:

SSL Decryption Policy 1

Source : Any

Destination : 1.2.3.4

Service : service-https

Action : Decrypt with certificate example.com

 

SSL Decryption Policy 2

Source : Any

Destination : 1.2.3.4

Service : service-https

Action : Decrypt with certificate example1.com

 

In this case, if a traffic comes for example1.com, when SSL decryption policy will be looked up, it will always match the first policy, even though the policy is binded to Certificate with hostname as example.com. The certificate is not a valid match condition for firewall for policy lookup.

 

Thereby when the example1.com will present its certificate it will not match with the certificate loaded which is for example.com

 

Resolution

To avoid this situation, create custom URL categories for each URL and use them in the match conditions.

 

SSL Decryption Policy 1

Source : Any

Destination : 1.2.3.4

Service : service-https

URL Category: Category_Example   (contains example.com)

Action : Decrypt with certificate example.com

 

SSL Decryption Policy 2

Source : Any

Destination : 1.2.3.4

Service : service-https

URL Category: Category_Example1    (contains example1.com)

Action : Decrypt with certificate example1.com



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleFCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language