Cannot Access WEBUI after configuring SSL/TLS Service Profile
6127
Created On 01/14/21 23:48 PM - Last Modified 09/07/21 22:36 PM
Symptom
After configuring SSL/TLS Service Profile under Device>Management>General Settings referencing the invalid SSL certificate, the WEBUI for firewall is no longer accessible with "NET::ERR_CERT_COMMON_NAME_INVALID" error
Environment
- Any Firewall and Panorama Appliances
- PAN-OS 8.1 and above.
Cause
- The Common Name of certificate does not match the WEBUI URL or IP
- Some browsers may require subject alternative name (SAN) for validating the URL being accessed
Resolution
- Remove SSL/TLS Service Profile to regain access to WEBUI
> configure
# delete deviceconfig system ssl-tls-service-profile
# commit
# exit
- Re-generate SSL certificate adding the Host Name under Certificate Attributes
- Make sure to install the Root CA certificate signing the SSL certificate onto Trusted Root Certification Authorities container for proper certificate validation. In this example the root certificate "testbox-root-CA" is in the root store of the client machine.
- Confirm the dns resolution works on host for firewall. (In this case dan is our firewall).
- Connect to the firewall using the common name (dan) and Validate proper SSL connection by checking the padlock next to URL