GlobalProtect Agent on Linux CentOS cannot connect to GlobalProtect Gateway
32770
Created On 01/06/20 04:33 AM - Last Modified 08/24/23 15:05 PM
Symptom
GP Agent on Linux CentOS cannot connect to the Gateway.
Error messages encountered
There is a problem with the security certificate, so the identity of xxxxxxx cannot be verified. Please contact the Help Desk for your organization to have the issue rectified. Warning: The communication with xxxxxxx may have been compromised. We recommend that you do not continue with this connection.
Error: Gateway gateway: The server certificate is invalid. Please contact your IT administrator.
Error: Gateway gateway: GlobalProtect is not licensed for this feature or device. Please contact your IT administrator.
Environment
PAN-OS
Global Protect
GP Agent for Linux CentOS
Cause
2 identified causes to this issue (one condition or both) :
- the certificate used by GP is not trusted.
- the certificate used by GP has CA attributes
Resolution
Case 1 : the GP certificate is not trusted
Verification
From the terminal, use curl in verbose mode to the portal URL$ curl -vvI https://xxxxx.xxxYou should see this error (the number may be different, but the meaning should be this one):
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
Resolution
Export the root CA (and the intermediary CA) certificate from the firewallOpen the terminal and perform the following as root user (or use sudo)
# cp ~/Downloads/cert.crt /etc/pki/ca-trust-source/anchors/ # update-ca-trust extract
Case 2 : the GP certificate has CA attributes
Verification
From the terminal, use curl in verbose mode to the portal URL$ curl -vvI https://xxxxx.xxxYou should see some errors message.
* NSS error -8102 (SEC_ERROR_INADEQUATE_KEY_USAGE) * Certificate key usage inadequate for attempted operation. * Closing connection 0 curl: (60) Certificate key usage inadequate for attempted operation.
Resolution
The certificate used by GP should not be marked as CA.Imported certificate
Contact the System administrator to regenerate a new certificate with CA attribute set.Self Signed certificate
- Go to Device>Certificate Management> Certificates- Create a new self signed certificate, it will be used as RootCA.
This certificate will be the one you need to import in your trusted CA store.
- create a new certificate signed by the Root CA
You should get the following view. You will notice the dependance link between the RootCA and the new certificate.
Now, you need to update the SSL/TLS Service profile with the new certificate.
- Go to Device>Certificate Management> SSL/TLS Service Profile
- Select the profile used by GP
- Change the certificate with the new certificate
- Click OK
- Commit the changes.
Additional Information
To check the list of the CA manually added
# openssl x509 -noout -subject < /etc/ssl/certs/ca-bundle.crtYou may need to enable "update-ca-trust"
# update-ca-trust enable