SSL decryption error (Inbound) incomplete chain

SSL decryption error (Inbound) incomplete chain

24625
Created On 07/13/20 19:36 PM - Last Modified 08/20/20 08:52 AM


Symptom


  • SSL decryption (Inbound) worked as expected on the firewall
  • But when a customer runs cURL command from specific devices they receive error message "SSL error incomplete chain
  • The error affected a few machines in the network. The affected systems did not have certificate stores. 
  • Checking the certificate using https://www.ssllabs.com/ssltest/index.html, we received the same error listed below
Error: This server's certificate chain is incomplete

Environment


  • Any PAN-OS
  • Palo Alto Firewall with Decryption configured.
  • End hosts does not have certificate store (example: old Novell systems)
  • Certificates imported on the Firewall.

Cause


Certificates imported in the wrong order causes "SSL error incomplete chain" error on systems that do not have a local certificate store.

Resolution


  1. From the firewall export the existing Certificates including the private key using GUI: Device > Certificate Management > Certificate > Select the certificate > Export Certificate, check the checkbox "Export private key" and enter any Passphrase.
 
Exporting Certificate
 
  1. Save the exported certificate to the local desktop
  2. Repeat this process for all certificates
  3. Once certificates are saved, Delete the existing certificates from the firewall using GUI: Device > Certificate Management > Certificate > Select the certificate > Delete. Note that if the certificate is being used, it will show an error. Remove the references for the certificate and try again.
 
Deleting the certificate
  1. Re-import the certificate in the correct order  which is
  • Root CA
  • Server certificate.
  • Client Certificate.
Use GUI: Device > Certificate Management> Certificate >Import  (Enter the required information such as Certificate Name, Certificate File location and check the checkbox "Import Private Key" and enter the Passphrase, refer to the screenshots below.

 
Importing the certificate
  1. Add the certificate back in the respective profiles such as certificate profile / ssl-tls-profile etc and commit the configuration.
  2. Retest the certificate using curl or SSL labs URL, the error should not be seen.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UpOCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language