System logs report "SSLMGR certificate CRL verification failed. CRL status unknown: CRL has expired"

System logs report "SSLMGR certificate CRL verification failed. CRL status unknown: CRL has expired"

1502
Created On 07/21/25 10:23 AM - Last Modified 08/12/25 01:54 AM


Symptom


  • Features that are configured with CRL checks, such as SSL Decryption, GlobalProtect, or firewall connections to Panorama, may be affected.
  • The following error is observed in the system logs (show log system):
SSLMGR certificate CRL verification failed. CRL status unknown: CRL has expired

    • The following error is observed in the sslmgr.log:
    debug: sslmgr_check_status(sslmgr_main.c:1730): [2B000000140AA54EE3F79CDBAA000000000014] start revocation status check
    Error:  pan_crls_is_revoked(pan_crl.c:2314): [CRL] CRL is expired for serial number[2B000000140AA54EE3F79CDBAA000000000014] and uri[http://X.X.X.X/CertEnroll/XXXXX.crl]
    debug: sslmgr_check_crl_status(sslmgr_main.c:1650): crl status is unknown
       debug: sslmgr_check_status(sslmgr_main.c:1766): [2B000000140AA54EE3F79CDBAA000000000014]
       cert status: unknown; cert_reason: CRL has expired; cert_valid_period: 446263
       cert method: crl; cert depth: 0
    debug: sslmgr_check_status(sslmgr_main.c:1795): chain status update from valid to unknown
    • The "debug sslmgr view crl" output shows that the “CRL file next update time” is outdated (earlier than the current time), despite the “CRL cache next update time” being correctly updated.

    PANOS-Device> debug sslmgr view crl http://X.X.X.X/CertEnroll/XXXXX.crlPANOS-Device> debug sslmgr view crl http://X.X.X.X/CertEnroll/XXXXX.crl 
    Current time is: Jul 02 04:33:33 2025 GMT
    CRL cache next update time is Jul 04 16:44:46 2025 GMT
    CRL file next update time is Jun 20 16:44:46 2025 GMT    <<<< Outdated

    Environment

    Cause


    • Software Issue.
    • This behavior is due to changes introduced in PAN-OS 10.2.14 that impact the CRL update mechanism.

    Resolution


    Workaround:

    1. Disable CRL checking in the Certificate Profile.
    2. Or uncheck the “Block session if certificate status is unknown” option in the Certificate Profile.

    Resolution:

    1. The issue will be fixed under PAN-295400 in PAN-OS 10.2.17.
    2. Upgrade the above version or higher will resolve the issue..
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000blg8KAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail