Why am I seeing the error "Winhttp_callback_status_flag_invalid_ca" in my PanGPS logs?
18524
Created On 12/17/20 18:38 PM - Last Modified 12/17/20 18:44 PM
Question
Why am I seeing the error "Winhttp_callback_status_flag_invalid_ca" in my PanGPS logs?
(T3336) 07/17/20 10:17:31:134 Info (2257): winhttpObj, dwCertError is:
(T3336) 07/17/20 10:17:31:134 Info (2261): WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
(T3336) 07/17/20 10:17:31:134 Info (2244): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000000001C34720)
(T3336) 07/17/20 10:17:31:134 Debug(2319): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12175, result=5
(T3336) 07/17/20 10:17:31:134 Debug(3509): we get cert error, so remove previousCertificate
(T1724) 07/17/20 10:17:31:196 Debug(3469): send alive message now 3
(T704) 07/17/20 10:17:31:196 Debug( 504): Command = <request><type>pan_msg_ping</type><result>3</result></request>
(T1724) 07/17/20 10:17:31:196 Info (1258): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T1724) 07/17/20 10:17:31:196 Info (1260): winhttpObj, ERROR_WINHTTP_SECURE_FAILURE set
(T1724) 07/17/20 10:17:31:196 Error(1285): error = ERROR_WINHTTP_SECURE_FAILURE
(T3336) 07/17/20 10:17:31:134 Info (2261): WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
(T3336) 07/17/20 10:17:31:134 Info (2244): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000000001C34720)
(T3336) 07/17/20 10:17:31:134 Debug(2319): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12175, result=5
(T3336) 07/17/20 10:17:31:134 Debug(3509): we get cert error, so remove previousCertificate
(T1724) 07/17/20 10:17:31:196 Debug(3469): send alive message now 3
(T704) 07/17/20 10:17:31:196 Debug( 504): Command = <request><type>pan_msg_ping</type><result>3</result></request>
(T1724) 07/17/20 10:17:31:196 Info (1258): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T1724) 07/17/20 10:17:31:196 Info (1260): winhttpObj, ERROR_WINHTTP_SECURE_FAILURE set
(T1724) 07/17/20 10:17:31:196 Error(1285): error = ERROR_WINHTTP_SECURE_FAILURE
Environment
- GlobalProtect Infrastructure
- Certificate based authentication
- Windows endpoint
Answer
This error is present whenever the server certificate used in the SSL/TLS profile for the Portal/Gateway is invalid.
A few common causes of this could include the following:
- The root CA used to sign the server certificate isn't installed on the endpoint in the proper store (eg: user and/or machine)
- The server certificate has expired or has incorrect attributes (eg: SAN IP or domain name)
- The SSL/TLS profile is using the incorrect certificate
Additional Information
For additional information regarding the certificate requirements when deploying GlobalProtect, please refer to the following documents: