Error: Failed to validate x509 cert from ctx

Error: Failed to validate x509 cert from ctx

1669
Created On 10/17/19 00:30 AM - Last Updated 03/02/20 22:01 PM


Symptom
When trying to download PAN-DB URL database, error message "Error: verify_cb(pan_ssl_curl_utils.c639): Failed to validate x509 cert from ctx: (19) self signed certificate in certificate chain" is seen.
 
User-added image

System log error:
 
info url-fil failed- 0 PAN-DB download: Failed.
medium url-fil url-dow 0 PAN-DB seed loading failed (ERROR:Peer certificate cannot be authenticated with given CA certificates).
high tls tls-X50 0 PANDB Cloud Agent Server certificate validation failed. Dest Addr: s0000.urlcloud.paloaltonetworks.com, Reason: self signed certificate in certificate chain
high tls tls-X50 0 PANDB Cloud Agent Server certificate validation failed. Dest Addr: s0000.urlcloud.paloaltonetworks.com, Reason: self signed certificate in certificate chain
Device server log :
     
mp devsrv.log  Error: verify_cb(pan_ssl_curl_utils.c:628): Error with certificate at depth: 3
mp devsrv.log  Error: verify_cb(pan_ssl_curl_utils.c:630): Basic Validation of x509 cert Fail ; Code : 19
mp devsrv.log  Error: verify_cb(pan_ssl_curl_utils.c:633): Issuer = /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
mp devsrv.log  Error: verify_cb(pan_ssl_curl_utils.c:636): Subject = /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
mp devsrv.log  Error: verify_cb(pan_ssl_curl_utils.c:639): Failed to validate x509 cert from ctx: (19) self signed certificate in certificate chain
mp devsrv.log  Error:pan_mgmt_secure_conn_ocsp_crl_check_wrap(pan_sec_conn_client.c:203): X509_verify_cert failed 0
mp devsrv.log  Warning: pan_cloud_agent_collect_cloud_info_cb(pan_cloud_agent_connect.c:1842): cloud elect connection close

Pan download log :
     
mp pan_download.log  PAN-DB download failed. Please check your network connectivity, DNS settings, and NTP settings.

Url Cloud status shows not connected:
     
> show url-cloud status

PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 20190223.20227
URL database version - cloud : 20190223.20227 
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible


 


Environment
  • PAN-OS 8.1.6.
  • Palo Alto Firewall.
  • PAN-DB URL database version 20190223.20227.


Cause
Certificate Profile was applied to customized communications in the secure Communication Settings and PAN-DB being part of it tries to use the certificate and gives error.
 


Resolution
  1. Make sure the Firewall can reach to the Cloud server .
  2. In the GUI: Device> set up > Management > Secure communication settings > Uncheck PAN-DB Communication and commit the changes. 

         User-added image


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN3LCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments