"Failed to validate server certificate for endpoint api.paloaltonetworks.com" is seen when device certificate is not installed in Panorama

"Failed to validate server certificate for endpoint api.paloaltonetworks.com" is seen when device certificate is not installed in Panorama

12686
Created On 01/05/23 06:24 AM - Last Modified 08/26/24 18:15 PM


Symptom


  • CDL logs are not displayed in Panorama.
  • Cortex Data Lake Status shows an error "Failed to validate server certificate for endpoint api.paloaltonetworks.com".
cdl-error-detail.png
  • The traffic between Panorama and CDL endpoint is not blocked by any FWs.
  • Re-fetching licenses and Logging Service Certificate did not resolve the issue.
  • It succeeded to retrieve the logging service certificate and it has not expired.
> request plugins cloud_services logging-service status
fail
/snip/
success
Successfully fetched logging service certificate
success
2022-12-13 03:07:26
2023-03-13 03:07:26
2022/12/13 12:18:18
xxxxxxxxxxxx
Failed to validate server certificate for endpoint api.paloaltonetworks.com  
failure
xxxxxxxxxxxxxxxx.in2-lc-prod-us.gpcloudservice.com
xxxxxxxxxxxxxxxx.api2-lc-prod-us.gpcloudservice.com:444
2022/12/13 12:02:20
americas

Environment


  • Any Panorama
  • PAN-OS 10.1 and above
  • Cloud Services plugin installed.
  • Panorama pulls the logs from Cortex Data Lake

Cause


  • Device certificate is not installed in the Panorama.
> show device-certificate status

Device Certificate information:
	No device certificate found


Resolution


  1. Install the Panorama Device Certificate.
  2. Restart the "reportd" process on Panorama
> show system resources | match reportd
> debug software restart process reportd
> show system resources | match reportd
  1. After restarting "reportd" process, Panorama will start using device certificate for logging service.
> request plugins cloud_services logging-service status

pass
/snip/
success
Successfully fetched Device Certificate 
success
1670900486
1678676486
2022/12/14 11:03:31
xxxxxxxxxxxx
Successfully fetched Logging Service customer info
success
xxxxxxxxxxxxxxxx.in2-lc-prod-us.gpcloudservice.com
xxxxxxxxxxxxxxxx.api2-lc-prod-us.gpcloudservice.com:444
2022/12/14 11:02:17
americas

Additional Information


For Firewalls associated with CDL, Delete the CDL license key and refetch it after installing device certificate.
  • Delete CDL license:
> delete license key <CDL_License_Key>
  • Fetch CDL license:
> request license fetch

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kG4bCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language