EDL server certificate authentication failed. A local copy of associated external dynamic list will be used.

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used.

9009
Created On 06/06/23 13:37 PM - Last Modified 09/12/25 19:40 PM


Symptom


  • Unable to fetch external Dynamic lists (EDLs) with below error in system logs:

    EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL name XXX, EDL source URL XXX, Reason: unable to get local issuer certificate

  • configd.log (less mp-log configd.log): display similar errors.

    Error:  pan_ebl_set_curl_proxy_info(pan_cfg_ebl.c:6545): failed to get proxy info
Error:  pan_ssl_app_verify_callback(pan_cert_api.c:36): Failed to validate x509 cert from ctx: (20) unable to get local issuer certificate
Error:  pan_ebl_cert_error_callback(pan_cfg_ebl.c:568): Server certificate authentication failed for EDL name<EDL_NAME> ip/fqdn<XXX> Common name of the server certificate <XXX> reason(20)<unable to get local issuer certificate

Environment


  • Palo Alto Networks firewalls
  • Supported PAN-OS versions
  • External Dynamic List (EDL)
  • URL Redirect

Cause


  • Configured URLS are redirecting to a different URL.
  • This URL Redirection is breaking the connection since curl by default doesn't follow redirects. 

Resolution


Configure the URLs in the external dynamic list to be accessible directly without any redirection.

Additional Information


  • This article addresses one of the cause of error message.
  • Other reasons for similar error message can also be attributed to certificate chain issues and/or not having the proper certificates added to the certificate profile.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bpwpCAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail