Cannot Access WEBUI after configuring SSL/TLS Service Profile

Cannot Access WEBUI after configuring SSL/TLS Service Profile

6127
Created On 01/14/21 23:48 PM - Last Modified 09/07/21 22:36 PM


Symptom


After configuring SSL/TLS Service Profile under Device>Management>General Settings referencing the invalid SSL certificate, the WEBUI for firewall is no longer accessible with "NET::ERR_CERT_COMMON_NAME_INVALID" error

User-added image

Environment


  • Any Firewall and Panorama Appliances
  • PAN-OS 8.1 and above.

Cause


  • The Common Name of certificate does not match the WEBUI URL or IP
  • Some browsers may require subject alternative name (SAN) for validating the URL being accessed

Resolution


  1. Remove SSL/TLS Service Profile to regain access to WEBUI
> configure
# delete deviceconfig system ssl-tls-service-profile
# commit
# exit
 
  1. Re-generate SSL certificate adding the Host Name under Certificate Attributes
User-added image
 
  1. Make sure to install the Root CA certificate signing the SSL certificate onto Trusted Root Certification Authorities container for proper certificate validation. In this example the root certificate "testbox-root-CA" is in the root store of the client machine.
  2. Confirm the dns resolution works on host for firewall. (In this case dan is our firewall).
  3. Connect to the firewall using the common name (dan) and Validate proper SSL connection by checking the padlock next to URL
 
User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCMKCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language