GlobalProtect Agent on Linux CentOS cannot connect to GlobalProtect Gateway

GlobalProtect Agent on Linux CentOS cannot connect to GlobalProtect Gateway

15436
Created On 01/06/20 04:33 AM - Last Modified 08/10/20 21:51 PM


Symptom
GP Agent on Linux CentOS cannot connect to the Gateway.

Error messages encountered
There is a problem with the security certificate, so the identity of xxxxxxx cannot be verified. Please contact the Help Desk for your organization to have the issue rectified.
Warning: The communication with xxxxxxx may have been compromised. We recommend that you do not continue with this connection.
 
Error: Gateway gateway: The server certificate is invalid. Please contact your IT administrator.
 
Error: Gateway gateway: GlobalProtect is not licensed for this feature or device. Please contact your IT administrator.


Environment
PAN-OS
Global Protect
GP Agent for Linux CentOS


Cause
2 identified causes to this issue (one condition or both) :
- the certificate used by GP is not trusted.
- the certificate used by GP has CA attributes


Resolution

Case 1 : the GP certificate is not trusted

Verification

From the terminal, use curl in verbose mode to the portal URL
$ curl -vvI https://xxxxx.xxx
  You should see this error (the number may be different, but the meaning should be this one):
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

Resolution

Export the root CA (and the intermediary CA) certificate from the firewall 
Open the terminal and perform the following as root user (or use sudo)
# cp ~/Downloads/cert.crt /etc/pki/ca-trust-source/anchors/
# update-ca-trust extract

Case 2 : the GP certificate has CA attributes

Verification

From the terminal, use curl in verbose mode to the portal URL
$ curl -vvI https://xxxxx.xxx
  You should see some errors message.
* NSS error -8102 (SEC_ERROR_INADEQUATE_KEY_USAGE)
* Certificate key usage inadequate for attempted operation.
* Closing connection 0
curl: (60) Certificate key usage inadequate for attempted operation.

Resolution

The certificate used by GP should not be marked as CA.
The certificate should not be marked as CA
Imported certificate
Contact the System administrator to regenerate a new certificate with CA attribute set.
Self Signed certificate
- Go to Device>Certificate Management> Certificates
- Create a new self signed certificate, it will be used as RootCA.
This certificate will be the one you need to import in your trusted CA store.
create the self-signed certificate
- create a new certificate signed by the Root CA
create the new certificate signed by the RootCA
You should get the following view. You will notice the dependance link between the RootCA and the new certificate.
certificates view

Now, you need to update the SSL/TLS Service profile with the new certificate.
- Go to Device>Certificate Management> SSL/TLS Service Profile
SSL/TLS Service profiles view
- Select the profile used by GP
- Change the certificate with the new certificate
Change the certificate
- Click OK
updated certificate in the SSL/TLS Service Profile
- Commit the changes.


Additional Information
To check the list of the CA manually added
# openssl x509 -noout -subject < /etc/ssl/certs/ca-bundle.crt
You may need to enable "update-ca-trust"
# update-ca-trust enable


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PO4F&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language