GlobalProtect client fails with error "Could not verify the server certificate of the gateway..."
127605
Created On 04/14/22 02:27 AM - Last Modified 11/11/22 19:12 PM
Symptom
- GlobalProtect client throws below error message when a user tries to connect
"Could not verify the server certificate of the gateway. If the issue persists, contact your administrator."
- Certificate validation errors can be seen in the PanGPS.log file.
20830 02/04 09:08:07:640041 - unable to verify, index=0
20830 02/04 09:08:07:640202 - java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
20830 02/04 09:08:07:640332 - proceed to verify server cert against portal CAs...
20830 02/04 09:08:07:640885 - 1322
20830 02/0409:08:07:646400java.io.FileNotFoundException: /data/user/0/com.paloaltonetworks.globalprotect/files/tca.cer: open failed: ENOENT (No such file or directory)
20830 02/04 09:08:07:652614 - PanHttpsClient: 1738, found exception:javax.net.ssl.SSLHandshakeException: CertPathValidatorException:,Trust anchor for certification path not found
20830 02/04 09:08:07:652749 - PanHttpsClient: server cert error
- Access the portal URL from any browser on the affected machine will show the certificate warning.
Environment
- GlobalProtect App 5.2
Cause
- The certificate used by Portal and Gateway is signed by an external certificate authority (CA).
- The certificate chain is missing on the machine to complete the validation. Example
- Root CA: DigiCert Global Root CA - Root Certificate is present in the client machine.
- Intermediate CA: GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 - Intermediate CA certificate is 'not' available in the client machine.
Resolution
Solution 1:
- Download and install the missing certificate in the user machine manually. See CERTIFICATE CONFIG FOR GLOBALPROTECT
- Upload these certificates to the firewall
- Device > Certificates > Device Certificates > Import
- Certificate type: Local
- Certificate Name: Give a certificate name (ex., Root-CA)
- Certificate File: Select the downloaded certificate
- Click 'OK'
- Follow the above step for all the root and intermediate certificates.
- Place these uploaded certificates in the portal configuration to download and install into a user machine when GlobalProtect connects to VPN.
- Go to Network > GlobalProtect > Portal > Agent
- Click on 'add' and select the Root CA certificate.
- Check the box to 'INSTALL IN LOCAL ROOT CERTIFICATE STORE"
- Follow the above steps for the intermediate CA certificate(s) too.
- Commit the changes