topic Re: Web interface connection refused probably due to expired certificate. in General Topics

Web interface connection refused probably due to expired certificate.

LCMember4427 — Fri, 15 Jun 2018 12:20:04 GMT

Hey,

The subject says it all...

This is a VM-100 with latest updates.

I can log in to CLI and I wonder how can I list all certificates, identify the expired cert and if possible renew it, all through CLI.

Thanks for any comments and a list of my options in this situation 🙂

best regards Tor

Re: Web interface connection refused probably due to expired certificate.

BPry — Fri, 15 Jun 2018 14:25:49 GMT

@LCMember4427,

Pull the running configuration from the CLI, identify the cert in question and update it directly through the CLI and push it back to the box, load it and commit.

FYI, an expired cert shouldn't block you from accessing the web interface; you should be able to bypass the warning and still access the GUI.

Re: Web interface connection refused probably due to expired certificate.

LCMember4427 — Mon, 18 Jun 2018 08:27:47 GMT

Hi,

Thanks for the advice. I got the config and found the properties of the expired certificate, see below.

There are a total of 6 certificate entries (but only this is expired). Does it exist an how-to to renew or create a new cert? Thanks for comments on how I can proceed further by the CLI...

regards Tor

CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
</public-key>
        <algorithm>RSA</algorithm>
      </entry>
      <entry name="MyCompanys CA 2017">
        <subject-hash>c16a5de3</subject-hash>
        <issuer-hash>94d7a06a</issuer-hash>
        <not-valid-before>Jan 26 20:02:51 2017 GMT</not-valid-before>
        <issuer>/C=NO/ST=Some-State/O=MyCompany VGS</issuer>
        <not-valid-after>Jun 10 20:02:51 2018 GMT</not-valid-after>
        <common-name>172.23.10.2</common-name>
        <expiry-epoch>1528660971</expiry-epoch>
        <ca>no</ca>
        <subject>/C=NO/ST=Some-State/O=MyCompany VGS/OU=Firewall/CN=172.23.10.2</subject>
        <public-key>-----BEGIN CERTIFICATE-----
MIIDFjCCAf4CCQCYA5DXj+1MWDANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJO

Re: Web interface connection refused probably due to expired certificate.

LukeBullimore — Mon, 18 Jun 2018 11:59:18 GMT

Hi,

From the CLI:

> request certificate renew days-till-expiry <days> certificate-name <certname>

> request certificate generate
+ ca                   Make this a signing certificate
+ country-code         Country code
+ days-till-expiry     Number of days till expiry
+ digest               Digest Algorithm
+ email                Email address of the contact person
+ filename             file name for the certificate
+ locality             Locality
+ ocsp-responder-url   ocsp-responder-url
+ organization         Organization
+ signed-by            signed-by
+ state                State/province
* algorithm            algorithm
* certificate-name     Name of the certificate object
* name                 IP or FQDN to appear on the certificate
> alt-email            Subject alternate Email type
> hostname             Subject alternate name DNS type
> ip                   Subject alternate name IP type
> organization-unit    Department

Seconding what @BPry has said - you should still be able to login to the webUI -even with an expired cert.

Thanks,

Luke.

Re: Web interface connection refused probably due to expired certificate.

LCMember4427 — Mon, 18 Jun 2018 13:44:50 GMT

Hi again,

Thanks for all help. I see your last comment both of you, however our webinterface ceased to respond at the day the CA cert expired and I read about it here:

https://live.paloaltonetworks.com/t5/Management-Articles/Unable-to-Access-Web-Console-via-HTTP-or-HTTPS/ta-p/53251

If you have other suggestions as to why our webinterface ceased to respond, I'm of course open to any help or troubleshooting tips.

Anyway, I tried to renew our current CA cert by this command:

VM-100> request certificate renew days-till-expiry 400 certificate-name "MyCompany CA 2017"
.. but got this error:
Server error : Failed to determine the issuer of certificate

This is a self signed cert, so which parameters do I apply to make it content ?

Thanks again 🙂

best regards Tor

Re: Web interface connection refused probably due to expired certificate.

LukeBullimore — Mon, 18 Jun 2018 13:53:22 GMT

Hi Tor,

The article you sent actually mentions about the absence of a certificate entirely - rather than an expired one.

As per the article's recommendations, have you tried to assign the primary certificate from you chain to the webserver?

> configure
# set deviceconfig system web-server-certificate <certname>
# commit
# exit

Regarding this error, I have not seen this before and the steps you took to renew the self signed-CA via CLI command are correct. If trying the above is unsuccessful, could you give the management server a reboot? (debug software restart process management-server) What Pan-OS version are you running also?

Re: Web interface connection refused probably due to expired certificate.

LCMember4427 — Tue, 19 Jun 2018 20:08:43 GMT

Hi again,

Thanks a lot! The restarting of the management plane did the trick. After that we were able to relogin to the webinterface and I created a new cert and now all is well.

The 'disconnection' occurred at about same time as the https cert expired. I'm on version 8.1.1. Is it possible that the cert expiration caused the management plane to 'hang' so web interface access was disabled..?

Anyway, I'm just glad to be up and running again. Thanks again 🙂

Tor