Firewall stops connecting to CDL without any network or CDL issues. ms.log shows "load cert - passphrase is missing"

• The firewall stops logging to CDL (Cortex Data Lake) and is not connected.
• CLI command "show logging-status"  shows as "not connected"

  >Log Collection Service
  'Log Collection log forwarding agent' is active but not connected

• There is no network connectivity issue (confirmed by the packet captures)
• No registration errors in logs and the firewall has the certificates and correct CDL customer ID/region.
• Restarting the mgmt & log-receiver service does Not help.
• ms.log (less mp-log ms.log) display errors as below.

  2023-06-13 12:59:16.448 -0400 Error:  cs_load_certs_ex(cs_common.c:684): commssl: load cert - passphrase is missing
  2023-06-13 12:59:16.448 -0400 Error:  pan_lcsa_tcp_channel_setup(src_panos/lcs_agent.c:2631): lcs agent: cs_load_certs_ex failed

• Prisma Access for Users with dataplane 10.0.8
• Strata firewalls running 10.0.x, 10.1.8 or below.
• Cortex Data Lake
• Logging

• Initial lcaas (logging service) certificate on the firewall that is fetched has an incorrect passphrase.
• As a result, the client cert for lcaas isn't being loaded in mgmtsrvr.
• Therefore, the connection with CDL is failing because the CDL receptor doesn't receive valid client cert in the TLS connection and tears down the connection.

1. Delete and re-fetch the logging service certificate.

FW(active)> request logging-service-forwarding certificate delete  //To delete the cert
FW(active)> request logging-service-forwarding certificate fetch   // To refetch the cert

2. CLI command "show logging-status"  now should show as "connected"

• The workaround can be done without any impact to the firewall dataplane or service.
• If this workaround does not help, Check the certificates of logging service and network connectivity or reach out to Palo Alto Support .