topic Re: External dynamic list failing at refresh in General Topics

External dynamic list failing at refresh

rperez-mz — Thu, 07 Jun 2018 18:14:34 GMT

This should be simple, but i have been at it for much too long and support hasnt been able to figure it out. Hoping someone here has had this issue.

I have a simple EDL to allow (type IP) the source is https and it's a txt file on a bitbucket repo.

I have added the certs (root and intermediate) directly from the CA that signed them (well known CA, not internal). the root had the box checked "trusted root ca cert"

I have created a cert profile with the certs

When I go to refresh I see the refresh job fail with the follwing:

EDLRefresh job failed. Cert validation failed

EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: TEST-EDL-IP, EDL Source URL: https://blah.blah.blah.txt, CN: *.blah.com, Reason: self signed certificate in certificate chain

I have tried it on 3 different firewalls and all fail in the same way. All are on panos 8. I have tried it with an http source (without a cert profile) and it works as it's supposed to, so at least I know the EDL object and rules, etc work. I think it might be a stupid simple thing that I am missing, but I can't figure it out. I have no hair. Thank you for your assistance

Re: External dynamic list failing at refresh

BPry — Thu, 07 Jun 2018 18:14:55 GMT

@rperez-mz,

Do you have any intermediate certs that maybe need to be added?

Re: External dynamic list failing at refresh

rperez-mz — Thu, 07 Jun 2018 18:18:00 GMT

@BPry

both root and intermediate have been added. the cert itself for bitbucket was also added, but it can't be included in the cert profile for some reason... not sure it supposed to be anyway.

Re: External dynamic list failing at refresh

Anon1 — Thu, 07 Jun 2018 20:44:21 GMT

There is a bug that EDLs cannot be downloaded from https servers which only support TLS. Fixed in PAN-OS 8.0.7 or higher. Or change the webserver to allow SSLv3.

PAN-85047: Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection.

However your issue seems to be different. Sounds more like missing certificate in trusted store.

Re: External dynamic list failing at refresh

BPry — Thu, 07 Jun 2018 20:59:58 GMT

@rperez-mz,

As @Anon1 mentioned all of the errors kind of point to you missing something within the certificate chain that is causing the issue; I would verify that it's all present and contact TAC so they can look over the configuration in its entirety if you continue to have issues.

Re: External dynamic list failing at refresh

rperez-mz — Wed, 13 Jun 2018 00:24:22 GMT

Thank you @Anon1 and @BPry you were right. I thought I had the whole chain. I just got in touch with the issuer and asked for the root/issuing, etc certs and indeed they were completelty different. That resolved it.