topic Re: Peer certificate chain building failed due to unable to get local issuer certificate in General Topics

Peer certificate chain building failed due to unable to get local issuer certificate

JohnRumball — Thu, 23 Apr 2020 13:45:09 GMT

Hello,

This is my first post here as I am a new customer of PaloAlto, but not new to networking. I have extensive Cisco background.

We are having an odd problem when trying to create an IKEv1 s2s tunnel between a remote PA220 and Cisco ASA 5525X headend. The PA outside interface has a dynamic address.

We have worked on this issue for days now and even opened a case with PA Support.

We are getting this error on the PA side:

IKE phase-1 negotiation is failed. Peer certificate chain building failed due to unable to get local issuer certificate

In the logs obtained in the CLI, we are seeing this information:

2020-04-23 09:28:06.066 -0400 [PERR]: Trusted CA not found for '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' because of subject issuer mismatch.

2020-04-23 09:28:06.066 -0400 [PERR]: Peer certificate chain building failed due to unable to get local issuer certificate.

I have verified that the certificate chain for the public cert being used on the Cisco ASA headend is intact and complete.

Any ideas??? We have scoured the internet for solution/clues on both sides, Cisco and PA, to no avail.

Thanks in advance.

John

Re: Peer certificate chain building failed due to unable to get local issuer certificate

l.pelland — Thu, 23 Apr 2020 19:26:01 GMT

John,

I'm in a similar position. I will be following this thread closely. Thanks for posting.

Re: Peer certificate chain building failed due to unable to get local issuer certificate

TomYoung — Mon, 06 Sep 2021 19:10:44 GMT

Did you ever find the answer to this issue? Typically the error "unable to get local issuer certificate" means that the CA used to issue your peer certificate is not in your certificate profile (configured under your IKE Gateway). The certificate profile must contain the entire CA certificate chain regardless of what is in the Default Trusted Certificate Authorities.

Re: Peer certificate chain building failed due to unable to get local issuer certificate

GeorgeAPH — Mon, 31 Jul 2023 21:20:26 GMT

Hello,

I'm in similar situation, but mine is more weird. I have PA820 at HQ and two PA410 at remote offices. Both PA410 have almost identical configuration (only IP addresses are different). I'm trying to build IPSec tunnels from HQ to remote offices. One of them works as expected. The other gives me the error in the topic of this thread. The weird thing is that the same CA (internally generated at PA820) issued certificates to both remote offices, but only one of them works while the other doesn't. I checked hundred times and I'm sure the configuration is identical, the "local issuer certificate" is the same for both IKE gateways. I can't understand how is it possible that one remote site works without problems while the other fails to get that local issuer certificate ?!?

Re: Peer certificate chain building failed due to unable to get local issuer certificate

TomYoung — Tue, 01 Aug 2023 13:35:53 GMT

Hi @GeorgeAPH ,

Is your PAN-OS the same on both NGFWs? I ran into this error with a certificate profile for an EDL. An upgrade to 10.2.4 fixed the issue. It turned out to be a bug in the code.

Thanks,

Tom

Re: Peer certificate chain building failed due to unable to get local issuer certificate

GeorgeAPH — Tue, 01 Aug 2023 13:53:54 GMT

Hi, @TomYoung,

Yes, both my satellite firewalls (working and non-working) are one and the same 11.x.x version.

The hub however is on 10.x.x. Thanks for the suggestion, I'll try to see what an upgrade would do for me.

Re: Peer certificate chain building failed due to unable to get local issuer certificate

Parsek — Tue, 20 Feb 2024 13:05:01 GMT

Hi guys:)

Do you have some updates about this problem?

Re: Peer certificate chain building failed due to unable to get local issuer certificate

AngeloOghittu — Tue, 19 Mar 2024 14:45:19 GMT

Hi TomYoung,

I have a customer facing same issue with EDL certificate, I saw you post here as well

https://live.paloaltonetworks.com/t5/next-generation-firewall/edl-unable-to-get-local-issuer-certificate/td-p/540800

The customer is not willing to upgrade without knowing the bug ID, do you have it?

Thank you in advance.

Best regards

Angelo Oghittu

Re: Peer certificate chain building failed due to unable to get local issuer certificate

TomYoung — Tue, 19 Mar 2024 16:03:48 GMT

Hi @AngeloOghittu ,

TAC would not give me a bug ID. I would send the customer this link -> and encourage they upgrade to the recommended version.

Thanks,

Tom

Re: Peer certificate chain building failed due to unable to get local issuer certificate

AngeloOghittu — Wed, 20 Mar 2024 14:40:14 GMT

Hi @TomYoung ,

thank you for your reply. The problem is that the customer is not willing to upgrade to the recommended version due to another bug and

because need to know the issue ID.

I think I should contact the TAC at this point.

Angelo