Firewall failing to connect to User-ID Agent (UIA) when using a Custom Certificate on UIA

Firewall failing to connect to User-ID Agent (UIA) when using a Custom Certificate on UIA

5934
Created On 08/01/23 03:40 AM - Last Modified 06/13/25 22:40 PM


Symptom


  •   The distributord.log (less mp-log distributord.log) show the UIA's server certificate verification failed:
-0700 [distributord] Received certificate with issuer = '/C=US/ST=CA/O=Example Corp/CN=Example Intermediate CA'
-0700 [distributord] Received certificate with subject = '/C=US/ST=California/L=Los Angeles/O=Example Corp/CN=uia.example.local'
-0700 [distributord] Loading custom trust certs:GS-CTBC-R1 to store
-0700 Error:  pan_distributor_agent_verify_cert_cb(pan_distributor_agent.c:1843): pan_user_id_perform_cn_validations failed
-0700 [distributord] Returning FAILURE from pan_user_id_uia_verify_cert_cb
-0700 Error:  pan_dcom_ssl_connect(pan_dcom_ssl.c:412): conn User-ID BR29HQ: SSL_connect return -1
-0700 Error:  pan_dcom_ssl_connect(pan_dcom_ssl.c:413): SSL :error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  •  Firewall packet captures show the firewall (172.20.3.13) sent a Fatal Alert with Unsupported Certificate:
11	0.010686	2023-07-03 14:36:52.141124	172.20.3.13	172.20.3.12	TLSv1.2		Alert (Level: Fatal, Description: Unsupported Certificate)	73	0.010686000	080a4914382d2b4f0bf0	1226061869	726600688

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • User-ID Agent (UIA)

Cause


  • The host field of User-ID Agent configuration on the Firewall is using IP address whereas the Server certificate on the User-ID Agent is using FQDN.
  • This can be verified by checking the configuration on the firewall and distributord logs.
[distributord] Received certificate with subject = ‘/C=US/ST=California/L=Los Angeles/O=Example Corp/CN=uia.example.local’
  • In this example, the Firewall is configured with IP Address of 172.20.3.12, but the User-ID Agent is sending FQDN of uia.example.local
  • For the Firewall to connect to UIA agent successfully, both have to be configured with similar values (either IP address or FQDN),

Resolution


Configure the User-ID Agent host field to match the Common Name (CN) or the Subject Alternative Name (SAN) in the certificate.

  • If the IP Address is configured as a hostname on the firewall, ensure the Server Certificate on the User-ID Agent has that IP Address in the CN or SAN field
  • If the FQDN is configured as a hostname on the firewall, ensure the Server Certificate on the User-ID Agent has that FQDN in the CN or SAN field

 

Additional Information


  • When a custom server certificate is used in the User-ID Agent, the firewall should be configured with the Certificate Profile under User Identification > Connection Security configuration 
  • The Certificate Profile should have the CA chain that issued the custom certificate

NOTES:

  • If the server certificate only has CN, that will be used to validate the certificate
  • If the server certificate has SAN extension, that will be preferred over CN to validate the certificate as per RFC 2818
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XfuJCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail