https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234291#M124799 <P data-start="660" data-end="899">Hi,<BR data-start="663" data-end="666" />I'm having an issue with Palo Alto and DDNS — specifically with DuckDNS. Everything had been working fine for the past two years, but for about a month now, Palo Alto is showing an SSL certificate error.<BR data-start="869" data-end="872" />The exact error message is:</P> <P data-start="901" data-end="989"><STRONG data-start="901" data-end="989">Server response: Peer certificate cannot be authenticated with given CA certificates</STRONG></P> <P data-start="991" data-end="1102">I’m not sure which certificate I should be using to fix this.<BR data-start="1052" data-end="1055" />Has anyone encountered and resolved this issue?</P> Fri, 18 Jul 2025 08:21:14 GMT A.Kuszaj 2025-07-18T08:21:14Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234291#M124799 <P data-start="660" data-end="899">Hi,<BR data-start="663" data-end="666" />I'm having an issue with Palo Alto and DDNS — specifically with DuckDNS. Everything had been working fine for the past two years, but for about a month now, Palo Alto is showing an SSL certificate error.<BR data-start="869" data-end="872" />The exact error message is:</P> <P data-start="901" data-end="989"><STRONG data-start="901" data-end="989">Server response: Peer certificate cannot be authenticated with given CA certificates</STRONG></P> <P data-start="991" data-end="1102">I’m not sure which certificate I should be using to fix this.<BR data-start="1052" data-end="1055" />Has anyone encountered and resolved this issue?</P> Fri, 18 Jul 2025 08:21:14 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234291#M124799 A.Kuszaj 2025-07-18T08:21:14Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234298#M124800 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/839806719">@A.Kuszaj</a>&nbsp;,</P> <P>&nbsp;</P> <P>Root and intermediate CA certificates expire, or new ones are issued, and the Palo Alto firewall's trusted CA store needs to be updated to reflect these changes. Since it was working for two years and stopped about a month ago, it's probable that a certificate in DuckDNS's chain either expired or was updated, and your firewall hasn't updated its trusted CA store accordingly.&nbsp;&nbsp;<SPAN>Possibly you may have to install and set the Intermediate Certificate as a Trusted Route CA.&nbsp; You may have to delete and recreate the Certificate Profile for this to take effect.</SPAN></P> <P>&nbsp;</P> <P>Here are a few things you can check:</P> <P>&nbsp;</P> <P><SPAN>Clarify which certificate chain you have installed to the firewall ? Refer to the article link to install correct intermediate CA on the firewall:&nbsp;</SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC" target="_blank" rel="noopener" data-aura-rendered-by="150:27498;a">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC</A><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Validate the DDNS configurations referring to this document link:&nbsp;</SPAN><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-dynamic-dns-for-firewall-interfaces" target="_blank" rel="noopener" data-aura-rendered-by="150:27498;a">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-dynamic-dns-for-firewall-interfaces</A><SPAN>&nbsp;</SPAN><SPAN><BR /><BR />Please refer to this article link providing resolution for Error message: Peer certificate cannot be authenticated with given CA certificates:&nbsp;</SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLz3CAG&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener" data-aura-rendered-by="150:27498;a">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLz3CAG&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Fri, 18 Jul 2025 08:41:16 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234298#M124800 kiwi 2025-07-18T08:41:16Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234786#M124848 <P>I had the same issue. You'll need the "<SPAN>Amazon RSA 2048 M02" and "Amazon Root CA 1"&nbsp;and create a new cert profile for DuckDNS.&nbsp;</SPAN>Click the download link next to "Additional Certificates (if supplied)". Copy the middle and last cert in the chain and create new PEM files in notepad.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.ssllabs.com/ssltest/analyze.html?d=duckdns.org" target="_blank">SSL Server Test: duckdns.org (Powered by Qualys SSL Labs)</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 28 Jul 2025 14:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-the-duckdns-certificate-for-the-ddns-service/m-p/1234786#M124848 akolodziej 2025-07-28T14:17:41Z