PANDB Cloud Agent Server certificate validation failed due to "self signed certificate in certificate chain"

PANDB Cloud Agent Server certificate validation failed due to "self signed certificate in certificate chain"

9515
Created On 09/15/23 09:17 AM - Last Modified 09/26/24 20:10 PM


Symptom


  • Proxy Server/SSL decryption Server used between Firewalls and Palo Alto URL Cloud.
  • System logs (show log system) reports certificate errors
PANDB Cloud Agent Server certificate validation failed. Dest Addr: s0000.urlcloud.paloaltonetworks.com, Reason: self signed certificate in certificate chain
  • Devsrv,log (less mp-log devsrv.log) reports the following messages
Perform download from cloud with result Peer certificate cannot be authenticated with given CA certificates.
Error:  pan_cloud_agent_download_cloud_list(pan_cloud_agent_connect.c:1747): PAN-DB cloud list loading failed (ERROR:Peer certificate cannot be authenticated with given CA certificates).
Error:  pan_cloud_agent_get_curl_connection(pan_cloud_agent_connect.c:2544): URL cloud list is empty. Cannot initiate cloud connection.
Warning:  pan_cloud_agent_get_curl_connection(pan_cloud_agent_connect.c:2711): cannot elect a cloud
Failed to open connection with the cloud after 117250 consecutive tries.
path : https://s0000.urlcloud.paloaltonetworks.com/urlcloud_list, path
Downloading URL database via proxy server: XXX.XXX.XXX.XXX:8080
A connection with proxy server is established
Error:  verify_cb(pan_ssl_curl_utils.c:615): Error with certificate at depth: 1
Error:  verify_cb(pan_ssl_curl_utils.c:617): Basic Validation of x509 cert Fail ; Code :  19 
Error:  verify_cb(pan_ssl_curl_utils.c:620): Issuer = /C=XX/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=XYZ
Error:  verify_cb(pan_ssl_curl_utils.c:623): Subject = /C=XX/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=XYZ
Error:  verify_cb(pan_ssl_curl_utils.c:626): Failed to validate x509 cert from ctx: (19) self signed certificate in certificate chain
Note:
  • The proxy server information like XXX.XXX.XXX:8080 is different in every environment.
  • And Issuer and Subject are also different in every environment.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Appliance with SSL Decryption

Cause


The certificates of Palo Alto Networks Cloud servers are overwritten by proxy servers which work as SSL Decryption.

Resolution


  1. Whitelist the Palo Alto Networks Cloud servers to exclude them from SSL Decryption.
  2. The connection should now be successful.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g2DZCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language