https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/315965#M81322 <P>One of my application is not&nbsp; decrypted i have applied SSL inbound decryption policy&nbsp; and got decryption-error.</P><P>On other hand another application with same intermediate certificate&nbsp; having decrypted. As same intermediate only&nbsp; child certificate is change.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24369i60B0F8A290FCB619/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Untitled.png" alt="Untitled.png" /></span></P> Thu, 12 Mar 2020 07:18:23 GMT Joshan_Lakhani 2020-03-12T07:18:23Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/315965#M81322 <P>One of my application is not&nbsp; decrypted i have applied SSL inbound decryption policy&nbsp; and got decryption-error.</P><P>On other hand another application with same intermediate certificate&nbsp; having decrypted. As same intermediate only&nbsp; child certificate is change.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24369i60B0F8A290FCB619/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Untitled.png" alt="Untitled.png" /></span></P> Thu, 12 Mar 2020 07:18:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/315965#M81322 Joshan_Lakhani 2020-03-12T07:18:23Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/316094#M81343 <P>It is near impossible to answer any speculative issues without logs showing details..&nbsp;</P> <P>&nbsp;</P> <P>Looking at past cases, this issue is normally caused by<SPAN>&nbsp;an incomplete certificate chain.</SPAN></P> <P>Normally, the workaround for this particular issue to import the entire chain as one bundle. Please follow the document:- <A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523</A></P> <P>&nbsp;</P> <P>I hope this helps.</P> Thu, 12 Mar 2020 19:05:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/316094#M81343 jdelio 2020-03-12T19:05:38Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/316100#M81344 <P>Certificate chain is also complete intermediate and parent certificate all are complete i have received this already when i apply decryption.</P><P>traffic is generating an error message - ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Cipher suite mismatch&nbsp;Firewall and server).&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24375i5873E5C717498E99/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P> Thu, 12 Mar 2020 19:19:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/316100#M81344 Joshan_Lakhani 2020-03-12T19:19:43Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/534692#M110009 <P>Sorry for the bump, but it might help others.&nbsp;</P> <P>&nbsp;</P> <P>I stumbled upon the exact same problem, the problem in this case was that the certificate/key were automatically renewed on the server. This is quite common when using Let's Encrypt with ACME (http-01 or dns-01) challenge.&nbsp;</P> <P>&nbsp;</P> <P>When getting this error make sure to check if this is the case.&nbsp;</P> <P>&nbsp;</P> <P>In these cases it makes sense to automate the renewal of the certificates on the firewall with the API, as an example.</P> <LI-CODE lang="markup">curl -k -X POST -F "file=@server.key" "https://1.2.3.4/api/?key=xxx&amp;type=import&amp;category=private-key&amp;certificate-name=server.com&amp;format=pem&amp;passphrase=xxx" </LI-CODE><LI-CODE lang="markup">curl -k -X POST -F "file=@server.crt" "https://1.2.3.4/api/?key=xxx&amp;type=import&amp;category=certificate&amp;certificate-name=server.com&amp;format=pem"</LI-CODE> <P>&nbsp;</P> Thu, 16 Mar 2023 10:50:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-decryption-error/m-p/534692#M110009 robmaas 2023-03-16T10:50:42Z