防火墙无法获取CDL错误的证书“无法加载JSON服务器提供的文件”

防火墙无法获取CDL错误的证书“无法加载JSON服务器提供的文件”

13418
Created On 10/15/22 12:14 PM - Last Modified 03/24/23 07:29 AM


Symptom


  • Palo Alto Strata 防火墙由Panorama和CDL(Cortex数据湖)(以前Logging service) 执照。
  • 防火墙无法获取它们连接所需的证书并将日志发送到CDL.
  • 这logging service状态显示以下失败。
    admin@PA-fw> request logging-service-forwarding status

Logging Service Certificate information:
Info: Error sending CSR signing request to Panorama
Not Valid after: 2022-10-21 00:00:21
Not Valid before: 2022-07-23 00:00:21
Status: failure
Last fetched: Tue Oct 11 17:04:53 2022


Logging Service Customer file information:
Info: Failed to validate server certificate for endpoint api.paloaltonetworks.com
Status: failure
  • 证书获取作业失败。
    admin@PA-fw> request logging-service-forwarding certificate fetch

Successfully scheduled logging service certificate fetch job with a job id of 34292

admin@PA-fw> show jobs id 34292

Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2022/10/07 14:45:59 14:45:59 34292 LCaaS-certificate-fetch FIN FAIL 100 %
  • ms.logs 上的firewall显示以下日志。
    2022-10-10 00:04:48.239 -0700 Error: pan_valid_lcaas_cert_present(pan_lcaas_cert_ops.c:663): Either certificate or key or both are missing
2022-10-10 00:04:48.239 -0700 LCAAS_CERT_RENEWAL scheduled
2022-10-10 00:04:48.239 -0700 Succesfully scheduled logging service certificate fetch job with a job id of 36069
2022-10-10 00:04:48.239 -0700 LCAAS_CERT_RENEWAL cert thread start
2022-10-10 00:04:48.239 -0700 LCAAS_CERT_RENEWAL fetch cert start
Generating RSA private key, 2048 bit long modulus
........................................+++
.....+++
e is 65537 (0x10001)
2022-10-10 00:04:49.355 -0700 Succesfully stored logging service priv_key (169949001_lcaas_cert_priv_key) in cryptod
2022-10-10 00:04:50.268 -0700 Succesfully sent logging service CSR signing request to panorama
2022-10-10 00:04:50.268 -0700 Response for cert fetch from CSP: <response status="success"><result><lcaas-cert>None</lcaas-cert><err-msg>Failed to load the JSON file suppl
ied by the server.
</err-msg><debug-msg/>
<status>Failure</status>
</result></response>
2022-10-10 00:04:50.268 -0700 Error: pan_lcaas_handle_cert_push(pan_lcaas_cert_ops.c:1180): Error response: Failed to load the JSON file supplied by the server.

2022-10-10 00:04:50.270 -0700 Error: _send_csr_signing_request_plugin(pan_lcaas_cert_ops.c:585): Failed to either write certificate file to disk
2022-10-10 00:04:50.270 -0700 Error: pan_lcaas_fetch_cert(pan_lcaas_cert_ops.c:908): Error sending CSR signing request to Panoram

Environment


  • Palo Alto Strata 防火墙由Panorama.
  • PanOS 10.0 或以下

Cause


  • 这是由于云服务插件断开连接导致的panorama与CDL后端。
  • 上的云服务插件panorama处理之间的连接panorama和CDL后端。
  • 续订许可证时,插件连接可能会中断,并且OTP确认需要再做一次。

Resolution


  1. 执行OTP确认在panorama用于云服务插件。
  2. 如果过程有任何错误,请使用求助文章。
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEYeCAM&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language