Access a specific site fails with certificate error when SSL forward proxy is enabled
21893
Created On 05/04/22 09:16 AM - Last Modified 12/15/22 23:14 PM
Symptom
- The user's traffic is subject to SSL decryption by SSL forward proxy.
- A specific site is inaccessible when the traffic is subject to SSL decryption and the browser displays following error.
- The following error logs is displayed in the decryption logs
Environment
- Prisma Access Mobile Users
- Prisma Access Remote Networks
- Palo Alto Strata next generation firewall (NGFW) running PanOS 10.0 or above
Cause
- This is caused due to invalid root CA or intermediate CA certificate supplied by the site in question.
- The SSL Forward proxy has a SSL decryption profile associated which has "Block sessions with untrusted issuers" checked.
- This option will cause the SSL forward proxy to check if the issue is trusted or no.
- If the issuer is not in trusted CA list or the trusted CA is not supplied, the access will be blocked.
- If the site is accessed from another client without SSL inspection, The certificate supplied by the server can be checked.
- For this site, there was no root CA supplied by the server.
Resolution
- This is not an issue with the Prisma Access or the Palo Alto NGFW.
- Contact the site admin and request them to fix the server issue and supply a valid CA certificate.
- If the site is trusted anyways, there are 2 options available.
- Create a custom URL category for this site only and bypass it from SSL forward proxy.
- Alternatively, Create a custom URL category for this site only and another SSL decryption profile with the has "Block sessions with untrusted issuers" unchecked.
Exclude a Server from Decryption for Technical Reasons
Additional Information
- For additional details, Perform a packet capture on the client machine when the site is accessed without SSL forward proxy and with SSL forward proxy.
- The captures without the SSL forward proxy would show the server hello and the certificate returned to validate what is being returned from the server.