Slack notifications (hooks.slack.com) fail with system logs reporting "Reason: certificate has expired"
2110
Created On 03/27/23 07:32 AM - Last Modified 09/04/25 02:40 AM
Symptom
- Panorama or Firewall configured to forward Logs to Slack "hooks.slack.com" app via HTTP profile.
- GUI: Device > Log Settings use the above HTTP profile for sending logs, system log for example:
- System logs show errors: HTTP server certificate validation failed. Host: X.X.X.X, CN: slack.com, Reason: certificate has expired.
Environment
- Palo Alto Firewall or Panorama
- PANOS 9.1.x and 10.1.x
Cause
- Slack endpoint hooks.slack.com sends a certificate chain including an expired X3 certificate.
- PANOS 9.1.x and 10.1.x uses this expired certificate as the a root certificate.
Resolution
- Upgrade the PAN-OS to 10.2.x or above.
- Use SSL decryption based workaround (applicable only on Firewalls) as given under addiitonal section.
Additional Information
Workaround :
By using SSL decryption, the following workaround might be implemented but only on a Firewall:
- Create CA Forward Trust Certificate and CA Forward Untrust Certificate (assuming SSL Decryption is not in use). If SSL Decryption is already configured, please skip the point
- Configure a service route for HTTP with an interface in a zone which will be further specified in a Decryption policy as a source. In the example a service route was created to use loopback.1 interface:
Service route configuration:
loopback.1 configuration - configured in a zone INSIDE
- Add a Decryption Policy, type SSL Forward Proxy. Specify as many granular settings as needed. In a simplest version, just zones are sufficient. Please ensure it does not affect existing configuration ideally by testing in non-production environment first.
- Verify if existing NAT setup and Security Policy allows traffic.
- By implementing the above steps a certificate chain is modified, no problematic X3 cert seen in TLS Certificate message anymore.