WildFire Registration Failed to Validate x509 cert from ctx

WildFire Registration Failed to Validate x509 cert from ctx

21999
Created On 04/29/19 16:11 PM - Last Modified 04/30/19 17:39 PM


Symptom


WildFire registration failed with the below error in mp/varrcvr.log: 
admin@PA-VM> tail follow yes mp-log varrcvr.log
2019-04-13 02:15:34.043 -0600 Error: verify_cb(pan_ssl_curl_utils.c:630): Basic Validation of x509 cert Fail ; Code : 19
2019-04-13 02:15:34.043 -0600 Error: verify_cb(pan_ssl_curl_utils.c:633): Issuer = /CN=FN-W-MCCA-CA
2019-04-13 02:15:34.043 -0600 Error: verify_cb(pan_ssl_curl_utils.c:636): Subject = /CN=FN-W-MCCA-CA
2019-04-13 02:15:34.043 -0600 Error: verify_cb(pan_ssl_curl_utils.c:639): Failed to validate x509 cert from ctx: (19) self signed certificate in certificate chain

Cause


This error happens when there is an upstream device that is decrypting (usually a firewall or proxy) the connection to WildFire. The "SSL Decryption Exclusion" list in Palo Alto has *.wildfire.paloaltonetworks.com added by default to avoid decrypting communication to WildFire when the Palo Alto Networks firewall is doing decryption.
User-added image

Resolution


Add *.wildfire.paloaltonetworks.com in the SSL Decryption exclusion list of the upstream device to fix the issue.
 

Additional Information


For additional information about decryption inclusions, please review this article: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-exclusions.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLqzCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language