GlobalProtect client fails with error "Could not verify the server certificate of the gateway..."

GlobalProtect client fails with error "Could not verify the server certificate of the gateway..."

127605
Created On 04/14/22 02:27 AM - Last Modified 11/11/22 19:12 PM


Symptom


  • GlobalProtect client throws below error message when a user tries to connect ​​​​​
 "Could not verify the server certificate of the gateway. If the issue persists, contact your administrator."
  • Certificate validation errors can be seen in the PanGPS.log file.
20830 02/04 09:08:07:640041 - unable to verify, index=0 
20830 02/04 09:08:07:640202 - java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 
20830 02/04 09:08:07:640332 - proceed to verify server cert against portal CAs...           
20830 02/04 09:08:07:640885 - 1322            
20830  02/0409:08:07:646400java.io.FileNotFoundException:  /data/user/0/com.paloaltonetworks.globalprotect/files/tca.cer: open failed: ENOENT (No such file or directory)
20830 02/04 09:08:07:652614 - PanHttpsClient: 1738, found exception:javax.net.ssl.SSLHandshakeException: CertPathValidatorException:,Trust anchor for certification path not found            
20830 02/04 09:08:07:652749 - PanHttpsClient: server cert error   
  • Access the portal URL from any browser on the affected machine will show the certificate warning. 

Environment


  • GlobalProtect App 5.2

Cause


  • The certificate used by Portal and Gateway is signed by an external certificate authority (CA).
  • The certificate chain is missing on the machine to complete the validation. Example
    • Root CA: DigiCert Global Root CA - Root Certificate is present in the client machine.
    • Intermediate CA: GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 - Intermediate CA certificate is 'not' available in the client machine.

Resolution


Solution 1:  Solution 2: 
  1.  Upload these certificates to the firewall 
    1. Device > Certificates > Device Certificates > Import
    2. Certificate type: Local
    3. Certificate Name: Give a certificate name (ex., Root-CA)
    4. Certificate File: Select the downloaded certificate
    5. Click 'OK'
  2. Follow the above step for all the root and intermediate certificates.
  3. Place these uploaded certificates in the portal configuration to download and install into a user machine when GlobalProtect connects to VPN.
    1. Go to Network > GlobalProtect > Portal > Agent
    2. Click on 'add' and select the Root CA certificate.
    3. Check the box to 'INSTALL IN LOCAL ROOT CERTIFICATE STORE"
    4. Follow the above steps for the intermediate CA certificate(s) too.
  4. Commit the changes
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004O5iCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language