topic Re: Device Certificate Issues. in Next-Generation Firewall Discussions

Device Certificate Issues.

Monicashree — Sat, 27 Jul 2024 10:12:16 GMT

Hi Friends,

One of our customer is facing issues in fetching the device certificate on a PA-410 device running on PAN OS 11.0.4-h2.

We are logging into the CLI of the firewall with Super User credentials and try to fetch the certificate with the below command

> request certificate fetch opt < >
It shows us invalid syntax error. From the GUI we could not see the get certificate option as well.

We have created a policy to allow paloalto-shared services but it didn’t help. Tried by restarting the management server as well but it didn’t help us.
As it is a PA-410 devices we could not able to see the traffic logs to see weather by any chance the traffic is getting blocked.

When we check the device certgen.log we could see the below error.
2024-07-23 16:13:19,013 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
2024-07-23 16:13:19,526 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
2024-07-23 16:15:12,498 device_certgen INFO Device certificate not found
2024-07-23 16:16:49,070 device_certgen INFO Device certificate not found
2024-07-23 16:22:04,924 device_certgen INFO Fetching device certificate
2024-07-23 16:22:56,968 device_certgen INFO Secret_key generated
2024-07-23 16:22:56,968 device_certgen INFO Generated pkey and CSR
2024-07-23 16:22:57,173 device_certgen INFO Source interface: 45.112.139.226
2024-07-23 16:22:57,805 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
2024-07-23 16:22:58,337 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')

Any help or suggestions on how to Proceed further.

Thanks and Regards

Monica Shree.

Re: Device Certificate Issues.

CosminM — Wed, 31 Jul 2024 07:41:29 GMT

Hello @Monicashree

For devices equipped with a TPM chipset (like PA-400 series), the CLI command is simply:

> request certificate fetch

This will create a job, and you can view the details using:

> show jobs id XX ---> replace XX with your actual job ID.

The command "show device-certificate status" allows you to verify the status of your device's certificate.

Re: Device Certificate Issues.

Monicashree — Tue, 30 Jul 2024 03:39:27 GMT

Hi @CosminM ,

The firewall is trying to fetch the certificate but it is getting failed with no error.

Regards

Monica Shree.

Re: Device Certificate Issues.

TomYoung — Tue, 30 Jul 2024 15:58:50 GMT

Hi @Monicashree ,

The error shows up under the "show jobs id <job-id>" command. Did you run the command as @CosminM explained? I have never seen it fail without an error, but this could be the 1st. On very rare occasions, I have seen the job stay in pending forever. That obviously shows no error but the fact that the job did not complete is the error.

Thanks,

Tom

Re: Device Certificate Issues.

Monicashree — Wed, 31 Jul 2024 15:39:21 GMT

Hi @TomYoung ,

Yes I ran the command mentioned by @CosminM and still I could only see fetch failed with out error.

I am adding the screenshots for reference.

Regards,

Monica Shree

Re: Device Certificate Issues.

TomYoung — Wed, 31 Jul 2024 15:51:31 GMT

Hi @Monicashree ,

Thank you for the screen shots! Well, that's disappointing that there is no error.

I apologize. You already provided the relevant error messages in your original post. It looks like your traffic is not connecting to the CSP. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBgsCAG&lang=en_US%E2%80%A9

This may be caused by not having a security policy rule as the article says or by a routing or other issue. Do you see the traffic from the NGFW to the CSP being allowed under Monitor > Logs > Traffic?

Thanks,

Tom

Re: Device Certificate Issues.

Monicashree — Wed, 31 Jul 2024 16:00:35 GMT

Hi @TomYoung ,

This is a PA-410 so i could not find the traffic logs and the firewall is not connected to Panorama as well so logs visibility is not there apart from that I have already added a policy for allowing paloalto-shared services and it is in TOP position. I have checked the service routes as well everything seems to be placed.

I changed the service route from management to data plane as well but didn't help me. I took Packet Captures from the data interface ip and to certificate.paloaltonetworks.com. Interestingly i got all the four drop ; firewall ; receive and transmit packets.

customer is yet to share them. In the mean time if you have any suggestions do let me know or else suggest me what two packets should i merge and check.

Thanks and Regards

Monica Shree

Re: Device Certificate Issues.

TomYoung — Wed, 31 Jul 2024 16:14:48 GMT

Hi @Monicashree ,

You are doing great! The next step is to check the packet captures.

It could be an MTU issue, but it is doubtful. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NlxCAE&lang=en_US%E2%80%A9. Does the traffic go through a VPN before going out to the Internet?

Thanks,

Tom

Re: Device Certificate Issues.

CosminM — Wed, 31 Jul 2024 19:35:07 GMT

Hello @Monicashree

Can you please look into process log with command:

less mp-log device_certgen.log