https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234706#M124838 <P>FYI, We have just identified that this issue appears to be related to the internal logging and alerting process in the firewall rather than an actual fault with the firewall successfully accessing and updating the EDL from the cortex tenant. We noticed that while we are getting email alerts for the issue every hour, (which is how often the cortex EDLs are set to update) the system logs in the firewall do not show any further alerts for this issue since July 15th. We then created a new entry into the domain EBL in cortex as testbad.com, logged into the firewall, checked the EDL and then clicked import now and the new domain showed up in the list on the firewall.</P> <P>&nbsp;</P> <P>TLDR; even though we continue to get email alerts regarding Cortex EDL Sources failing to authenticate due to self signed cert, the firewall is downloading them anyway.</P> Fri, 25 Jul 2025 15:03:01 GMT ycgmis 2025-07-25T15:03:01Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1233923#M124755 <P>I'm receiving this error from our firewall every 2 minutes, I can't figure out what the cause is. The reason says "self signed certificate in certificate chain" but I don't know what self signed cert it is talking about. This has been working for years now, the cert selected on the firewall is the GoDaddy root from&nbsp;<A class="link ft-external-link" href="https://certs.godaddy.com/repository/gd-class2-root.crt" target="_blank" rel="noopener">https://certs.godaddy.com/repository/gd-class2-root.crt</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>The source URL is copied our Cortex XDR settings</P> <P><A href="https://edl-hxdr.xdr.us.paloaltonetworks.com/block_list?type=domain" target="_blank">https://EDL-MyXDRInstance.paloaltonetworks.com/block_list?type=domain</A></P> <P>&nbsp;</P> <P>'EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won\'t impact your policy. EDL Name: Cortex Domains, EDL Source URL: https://&lt;edl&gt;.paloaltonetworks.com/block_list?type=domain, CN: *.xdr.us.paloaltonetworks.com, Reason: self signed certificate in certificate chain</P> Mon, 14 Jul 2025 13:13:56 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1233923#M124755 DopedWafer 2025-07-14T13:13:56Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1233924#M124756 <P>Realizing now that it seems to have stopped at 5am CST this morning, so maybe this is resolved?</P> Mon, 14 Jul 2025 13:52:49 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1233924#M124756 DopedWafer 2025-07-14T13:52:49Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234258#M124791 <P>On same day we also encountered this issue related to the EDL and we also using external go daddy certificate. Have you found any fix from TAC?</P> <P>We reached out to TAC and trying to find the root cause.</P> Thu, 17 Jul 2025 12:30:25 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234258#M124791 S.Venkatesan 2025-07-17T12:30:25Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234263#M124792 <P>Hello,</P> <P>&nbsp;</P> <P>The digital certificate presented by edl-hxdr.xdr.us.paloaltonetworks.com has a chain issue.</P> <P><A href="https://www.ssllabs.com/ssltest/analyze.html?d=edl-hxdr.xdr.us.paloaltonetworks.com" target="_blank" rel="noopener">https://www.ssllabs.com/ssltest/analyze.html?d=edl-hxdr.xdr.us.paloaltonetworks.com</A></P> <P>&nbsp;</P> <P>To fix that you need to download the intermediate authority certificate and to import into your firewall, then mark the imported certificate as Trust Root CA Certificate.</P> <P>&nbsp;</P> <P>To help you, I already downloaded the intermediate authority certificate and you can take it from this comment. Just unzip and upload the extracted certificate to your firewall.</P> <P>&nbsp;</P> <P>If you want to know more how to fix incomplete chain issues, please have a look here:&nbsp;<A href="https://docs.paloaltonetworks.com/network-security/decryption/administration/troubleshooting-decryption/repair-incomplete-certificate-chains#repair-incomplete-certificate-chains-pan-os" target="_blank" rel="noopener">Repair Incomplete Certificate Chains</A></P> <P>&nbsp;</P> Thu, 17 Jul 2025 15:08:21 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234263#M124792 CosminM 2025-07-17T15:08:21Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234486#M124818 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/197789">@CosminM</a>&nbsp;we have tried that procedure and it work it until we referenced the&nbsp;intermediate authority certificate into the certificate profile associated to the EDL. That was on a PA-440 without decryption.<BR /><BR />We are trying to stop this alert on a PA-3220 with the same procedure but we still having the alert.</P> <P>&nbsp;</P> <P>Has anyone fix this issue ?</P> Tue, 22 Jul 2025 18:39:18 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234486#M124818 Suscripciones 2025-07-22T18:39:18Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234660#M124830 <P>We began having the same issue on our 3220. The certificate path has apparently changed. Before it was using GlobalSign. Now it's pointing to Godaddy. We have a TAC case open but the TAC doesn't seem to know what the issue is either. I've tried the suggested fixes, including the one on this thread but still no luck.</P> Thu, 24 Jul 2025 20:16:59 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234660#M124830 ycgmis 2025-07-24T20:16:59Z https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234706#M124838 <P>FYI, We have just identified that this issue appears to be related to the internal logging and alerting process in the firewall rather than an actual fault with the firewall successfully accessing and updating the EDL from the cortex tenant. We noticed that while we are getting email alerts for the issue every hour, (which is how often the cortex EDLs are set to update) the system logs in the firewall do not show any further alerts for this issue since July 15th. We then created a new entry into the domain EBL in cortex as testbad.com, logged into the firewall, checked the EDL and then clicked import now and the new domain showed up in the list on the firewall.</P> <P>&nbsp;</P> <P>TLDR; even though we continue to get email alerts regarding Cortex EDL Sources failing to authenticate due to self signed cert, the firewall is downloading them anyway.</P> Fri, 25 Jul 2025 15:03:01 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-server-certificate-authentication-failed-a-local-copy-of/m-p/1234706#M124838 ycgmis 2025-07-25T15:03:01Z