topic Re: EDL - unable to get local issuer certificate in Next-Generation Firewall Discussions

EDL - unable to get local issuer certificate

orbcomm — Tue, 02 May 2023 18:56:56 GMT

Hi,

Having issues with EDL and certificates. Followed the best practices, and believe everything is set properly.

running pa-8xx clusters running 10.1.9h3, all have the same issue

opendbl.net cert chain is imported and set both root and intermediate in the cert profile. opendbl EDL created, cert profile attached and outbound policy applied.

Anyone run into the following errors? Thanks for any advice.

Example from system monitor logs:

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: Blocklist.de All, EDL Source URL: https://opendbl.net/lists/blocklistde-all.list, CN: opendbl.net, Reason: unable to get local issuer certificate

EDL(Blocklist.de All) No changes to authentication status, still failing.

Re: EDL - unable to get local issuer certificate

OtakarKlier — Thu, 04 May 2023 21:53:48 GMT

Hello,

I would say bypass decryption for those url's.

Regards,

Re: EDL - unable to get local issuer certificate

orbcomm — Fri, 05 May 2023 14:13:07 GMT

Hi,

Thanks, tested and works without using cert. Couldn't find a solution that works with cert, so will just continue using http only.

Regards

Re: EDL - unable to get local issuer certificate

TomYoung — Wed, 15 Nov 2023 20:36:25 GMT

Hi @orbcomm ,

I opened a TAC case on this issue, and the certificate is working with 10.2.4-h2. I have seen this issue come and go with different versions. I think it is a bug that is not listed.

If I don't use a certificate profile for the EDL, I get commit warnings. I use Panorama to push my configs, and I want to see "commit succeeded" for all my NGFWs. If I get "commit succeeded with warnings" then I have to drill down into every NGFW. Bottom line: I get rid of all my commit warnings. Besides, a certificate profile is more secure.

Thanks,

Tom

PS It was not working in 10.1.9-h3.

Re: EDL - unable to get local issuer certificate

orbcomm — Fri, 30 Jun 2023 17:37:52 GMT

Hi @TomYoung,

Thanks for the heads up. I see 10.1.10 was just recently released, will try that, if not working will think about upgrading to 10.2 release. Would like to be on the secure side as well.

Regards

Re: EDL - unable to get local issuer certificate

szaidi110 — Wed, 15 Nov 2023 11:08:39 GMT

I have run into the same weird problem, we are running variants of OS 10.1.9 and can't figure out what the issue is. Interestingly, this was working on the current OS not too long ago and only stopped working after we had to update the certificate chain (EDL URL updated their certificates).

TAC hasn't been able to help at all so I am thinking about upgrading to the current preferred release which is 10.1.10-h2 for our base version.

Re: EDL - unable to get local issuer certificate

orbcomm — Wed, 15 Nov 2023 19:53:06 GMT

Hi @szaidi110 I continue to use non-ssl, I have upgraded to 10.2.6 on firewalls with EDL, and planning to test ssl again, just haven't had a change window yet. If you can, non-ssl works until upgrade test.

Re: EDL - unable to get local issuer certificate

TomYoung — Wed, 15 Nov 2023 20:37:24 GMT

Hi @orbcomm ,

Mine continues to work fine on 10.2.4-h2 and 10.2.5.

Thanks,

Tom

Re: EDL - unable to get local issuer certificate

orbcomm — Wed, 15 Nov 2023 20:42:39 GMT

Excellent, thanks for the feedback @TomYoung

Re: EDL - unable to get local issuer certificate

szaidi110 — Wed, 22 Nov 2023 14:54:45 GMT

InfoSec would raise a flag if I bypass the cert authentication so that isn't really a choice. I guess I'll just update my firewalls to 10.2.X and see how it goes