Next Generation Firewall unable to connect to Panorama with "Cert verify failed: error: 10 (certificate has expired)"
7409
Created On 05/15/24 15:25 PM - Last Modified 05/17/24 21:24 PM
Symptom
- ms.log (less mp-log ms.log) display "Cert verify failed: error: 10 (certificate has expired)" messages every 10 seconds
0900 Error: valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 10 (certificate has expired)
.....
0900 Error: valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 10 (certificate has expired)
- Based on the certificate expiration article, the required App version is already installed (8847-8736 installed, which is higher than 8795-8489)
- System logs (show log system) display "Please reboot your device" is displayed
2024/05/15 12:12:40 info general general 0 This is applicable only to Panorama/Panorama-managed devices and can be ignored otherwise. The Panorama certificate, expiring 19-Nov-2033, for managing NGFW and log collectors has been installed. To activate the renewed certificate, please reboot your device. Panorama can not manage devices after April 7th without a reboot. Additional information is available in the content release notes. If a custom certificate is used then this message is not applicable, and no action is required.
Environment
- Next Generation Firewall
- Panorama
- PAN-OS 8.1 and above.
- Certificate expiration
Cause
As displayed in the system logs and Live article, a reboot is required after installing app which is higher than 8795-8489.
Resolution
Reboot both Panorama and Next-Generation-Firewall after installing app which is higher than 8795-8489.