topic Re: Decryption: Received fatal alert CertificateUnknown from client in Next-Generation Firewall Discussions

Decryption: Received fatal alert CertificateUnknown from client

LCMember40912 — Fri, 16 Feb 2024 19:24:38 GMT

Hi Folks,

I'm seeing some instances of "Received fatal alert CertificateUnknown from client" errors in the decryption log when the root\issuer certs are clearly in the FW's cert store. Attached are screenshots of the error and the FW's cert store. Any ideas on what could be going wrong here?

I'm seeing this on PAN OS 11.0.2-h3 & 10.2.7-h3.

Thanks for your thoughts!

Re: Decryption: Received fatal alert CertificateUnknown from client

Satyak — Sat, 24 Feb 2024 08:20:44 GMT

Hi LCMember40912,

The GP certificate which you are using is missing it's root certificate.

This is the reason you are getting the error as the Client/Server it not able to trust the certificate.

As a Workaround please find the below methods.

Please try to import the entire certificate chain given by GoDaddy into the firewall and then Try to add the Root Certificate in the GP Portal and Change the SSL/TLS version max to 1.2.

This should help you in resolving the issue.

Regards

Satya Kalyan

Re: Decryption: Received fatal alert CertificateUnknown from client

tamilvanan — Sun, 25 Feb 2024 15:00:00 GMT

@LCMember40912

Are you configuring SSL inbound decryption in the firewall

Re: Decryption: Received fatal alert CertificateUnknown from client

LCMember40912 — Mon, 26 Feb 2024 16:52:41 GMT

Hi Satya, you are quite correct. When I exported and opened the original cert in the screenshot, it was in fact only an intermediate cert. I was able to download the root and install it. Thanks for setting me straight! 🙂

Ian

Re: Decryption: Received fatal alert CertificateUnknown from client

LCMember40912 — Tue, 27 Feb 2024 17:16:33 GMT

Hi Satyak,

Regrettably, as I go over the decryption logs again today, I'm still seeing instances of my original issue. For example, here's the error in the decryption log (I should note that the source IP address from this entry is assigned to one of our corporate laptops, and thus trusts the forward-trust certificate):

If I go to the indicated URL (http://r3.iencr.org/) and download the certificate, and take a look at the certification path, I see this:

If I take a look in the FW's certificate store, I see this:

So given these facts, how is it still possible to generate the 'CertificateUnknown' error? Thanks for your thoughts! Just to clarify, this is forward proxy decryption, and not GP or inbound...

Re: Decryption: Received fatal alert CertificateUnknown from client

Claw4609 — Tue, 27 Feb 2024 18:16:30 GMT

Is this running from an application on the clients machine or are they just web-browsing to this place? Generally in my experience client cert errors are most often a result of the application doing certificate pinning thus causing ssl inspection to stop this connection.

Re: Decryption: Received fatal alert CertificateUnknown from client

LCMember40912 — Tue, 27 Feb 2024 21:43:00 GMT

"Is this running from an application on the clients machine or are they just web-browsing to this place?"

You know, that's a good question. I don't really know anything apart from what I see in the decryp logs. Just trying to be proactive so people don't write helpdesk messages saying they can't get to this or that site... Is there a way to tell?

Re: Decryption: Received fatal alert CertificateUnknown from client

William-Wu — Mon, 19 Aug 2024 22:06:47 GMT

FYI - Instructions on how to repair incomplete certificate chains:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains

Re: Decryption: Received fatal alert CertificateUnknown from client

emkla123 — Mon, 26 Aug 2024 08:44:59 GMT

I've had very similar issues.
If you trace it back to a corporate laptop, would it be possible that a Chromium based browser is used?

Been issues where legitimate traffic doesn't work as intended if SSL decrypt is being used due to this:
https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
https://tldr.fail/

PAN have a bug fix being pushed PAN-247099