https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380721#M806 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/168665">@CertInvalid</a>&nbsp;</P><P>&nbsp;</P><P>please see <A href="https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT" target="_blank">https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT</A></P> Tue, 19 Jan 2021 07:20:57 GMT JoergSchuetter 2021-01-19T07:20:57Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380676#M805 <P>So for about the last month (just before xmas) we seem to be having certificate errors for our wildcard cert. Its a wildcard purchased from instantSSL. (sectigo) when using it with global protect client.</P><P>&nbsp;</P><P>It works fine on windows machines. Just seems to be chromebooks and phones. When you go to connect it prints the error "Gateway XXX: The server certificate is invalid. Please contact your IT administrator"</P><P>&nbsp;</P><P>chromebook was restored to factory defaults. Global protect client is from the play store and is version 5.2.4-14 on my test device.</P><P>&nbsp;</P><P>In the logs, i am able to see the following:</P><P>&nbsp;</P><P><FONT face="courier new,courier">(1769)01/18 15:10:57:74295 - PanHttpsClient: 1738, found exception:javax.net.ssl.SSLHandshakeException: Certificate expired at Sat May 30 03:48:38 PDT 2020 (compared to Mon Jan 18 15:10:57 PST 2021)</FONT><BR /><FONT face="courier new,courier">(1769)01/18 15:10:57:74340 - PanHttpsClient: server cert error</FONT></P><P>&nbsp;</P><P>However when i inspect the certificate on the website portal, it says valid till 2022 at a completely different date... So where does this panhttps certificate live? Is there multiple certificates? And also in the same log, it appears to be using this certificate with info as below, clearly valid...&nbsp;</P><P>&nbsp;</P><P><FONT face="courier new,courier">Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA</FONT><BR /><FONT face="courier new,courier">Validity</FONT><BR /><FONT face="courier new,courier">Not Before: Dec 4 00:00:00 2019 GMT</FONT><BR /><FONT face="courier new,courier">Not After : Mar 7 00:00:00 2022 GMT</FONT></P><P>&nbsp;</P><P>Any ideas?</P> Mon, 18 Jan 2021 23:35:05 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380676#M805 CertInvalid 2021-01-18T23:35:05Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380721#M806 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/168665">@CertInvalid</a>&nbsp;</P><P>&nbsp;</P><P>please see <A href="https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT" target="_blank">https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT</A></P> Tue, 19 Jan 2021 07:20:57 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380721#M806 JoergSchuetter 2021-01-19T07:20:57Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380825#M807 <P>Wow thanks man, yes that does explain it!</P><P>&nbsp;</P><P>how to resolve though? Can i just install this on the server? i wont be able to update peoples personal phones obviously. Chromebooks i dont know...&nbsp;</P><P>&nbsp;</P><P>"You may need to update any such systems to include more modern roots if it’s possible to do so."</P><P>Does it mean the clients need to be updated, or the palo alto firewall needs it?</P> Tue, 19 Jan 2021 16:00:34 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/server-certificate-is-invalid-on-chromebooks-and-phones/m-p/380825#M807 CertInvalid 2021-01-19T16:00:34Z