Commit Failure with error "Certificate error, reverting configuration"

Commit Failure with error "Certificate error, reverting configuration"

5189
Created On 04/25/24 09:54 AM - Last Modified 07/18/24 03:01 AM


Symptom


  • After configuring Secure Communication with Custom Certificate commit fails and it is reverted.
  • On the firewall the commit job fails with the following reason:
Reason: Certificate error, reverting configuration
  • In configd.log (less mp-log configd.log), the following error is displayed.
-0700 [secure_conn] Verification of Server cert was unsuccessful
-0700 [secure_conn] Verification of Server cert was successful
-0700 Warning: pan_cmsa_tcp_channel_setup(cms_agent.c:1511): cmsa: using secure_conn_ctx
-0700 Error: pan_sec_conn_client_validation_impl(pan_sec_conn_client.c:455): [Secure conn verify result] Certificate verification failed due to Error 26 : unsupported certificate purpose 
-0700 Error: pan_cmsa_tcp_channel_setup(cms_agent.c:1741): ACR: Failed to verify certificate
-0700 ACR: Panorama connectivity check failed for <Panorama Address>. Reason: Certificate error, reverting configuration
-0700 ACR: Post-commit connectivity check failed, beginning to revert config

Environment


  • Panorama managed PA Firewalls
  • PAN-OS 10.2 on both Firewall and Panorama
  • Secure Communication between Firewall and Panorama with Custom Certificate

Cause


The Self-signed CA certificate and one Certificate signed by the CA are used by both the Panorama and the Firewall.

Panorama:

  • Under GUI: Panorama > Certificate management > Certificates "FW_cert" is generated as below
  • This certificate is used under GUI: Device > Setup > Management > Secure Communication setting > Customize Secure  Server Communication
Panorama-1.png

Firewall:
  • Under GUI: Device > Certificate management > Certificates "FW_cert" is pushed from Panorama template.
  • This certificate is used GUI: Panorama > Setup > Management > Secure Communication setting > Certificate
Firewall-1.png
  • Since the same certificate is used on both Panorama and Firewall, the commit fails.

 

Resolution


  1. Use separate certificates for the Panorama and the Firewall.
  2. As an example, 2 Certificates are generated, Pan_cert is used on Panorama and FW_cert is used on Firewall.

Panorama-3.png

 

 

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrP4CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language