How to resolve "Host key verification failed." error while generating TechSupport File

• When the firewall is used as a client to SSH onto a remote system (e.g., when using SCP to copy files over), it keeps a record of the public certificate of the remote system with the corresponding IP address.
• The remote systems certificate sometime gets changed due to perhaps due to a transition from a self-signed cert to a public signed certificate or generation of a new certificate and key pair.
• When the remote system's certificate has changed, the old SSH public certificate stored in the firewall will need to be deleted.
• The article helps understand and resolve this issue.
• The example of the error message is as below.

Finish generating tech support.
The authenticity of host 'tacupload.paloaltonetworks.com (199.167.52.81)' can't be established.
RSA key fingerprint is SHA256:h9thiu2iiPrzNw2quEqHhLlF3RTmBeVsXg0R18aR3/s.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'tacupload.paloaltonetworks.com,199.167.52.81' (RSA) to the list of known hosts.
Welcome to the TAC Upload Service. 

• When the above fingerprint changes, we get the error below:

Finish generating tech support.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:h9thiu2iiPrzNw2quEqHhLlF3RTmBeVsXg0R18aR3/s.
Please contact your system administrator.
Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
RSA host key for tacupload.paloaltonetworks.com has changed and you have requested strict checking.
Host key verification failed.
lost connection

• Palo Alto Firewall
• Supported PAN-OS
• Certificates

Use below command to delete the SSH fingerprint for the respective users, based on the error message highlighted.

admin@PA-VM> delete authentication user-file ssh-known-hosts 
> self   Delete ssh-known-hosts file for self
> user   user 

admin@PA-VM> delete authentication user-file ssh-known-hosts self 
ssh-known-hosts file doesnot exist yet for admin


 

The command for Panorama/Log collector is different. Refer to Warning: Remote Host Identification has changed