topic Re: Global Protect config problem: The server certificate is invalid. in General Topics

Global Protect config problem: The server certificate is invalid.

GOMEZZZ — Fri, 20 Mar 2020 14:21:22 GMT

Hi,

In lab i am trying to setup a simple global protect configuration where the gateway and portal are on the same IP and just using local user authentication. I have a certificate for my my public IP from let's ecnrypt and have imported this into palo alto.

I am able to connect to the portal without any certificate issues. But when connecting through the gateway i am getting the server certficate is invalid.

My config looks like this:

Portal config:

GPP-Portal {
portal-config {
client-auth {
GPP-AUTH {
os Any;
authentication-profile "Local-Database Authentication";
authentication-message "Enter login credentials";
}
}
local-address {
interface loopback;
ip {
ipv4 10.1.1.1;
}
}
custom-login-page factory-default;
custom-home-page factory-default;
custom-help-page factory-default;
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
}
client-config {
configs {
AUTH-PORTAL {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
fw.relianet.be {
fqdn fw.relianet.be;
priority-rule {
Any {
priority 1;
}
}
manual yes;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os Windows;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
gp-app-config {
config {
connect-method {
value on-demand;
}
refresh-config-interval {
value 24;
}
agent-user-override {
value allowed;
}
client-upgrade {
value prompt;
}
use-sso {
value no;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 30;
}
retry-timeout {
value 5;
}
enforce-globalprotect {
value no;
}
captive-portal-exception-timeout {
value 0;
}
traffic-blocking-notification-delay {
value 15;
}
display-traffic-blocking-notification-msg {
value yes;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-heigh
t: 1.2em;">To access the network, you must first connect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
value yes;
}
display-captive-portal-detection-msg {
value no;
}
captive-portal-detection-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size
: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0
; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div>';
}
certificate-store-lookup {
value user-and-machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value yes;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value yes;
}
can-continue-if-portal-cert-invalid {
value yes;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value -1;
}
show-system-tray-notifications {
value no;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 5;
}
connect-timeout {
value 5;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
wsc-autodetect {
value yes;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value yes;
}
}
}
save-user-credentials 2;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
}
}
satellite-config {
client-certificate {
local;
}
}
}

GATEWAY:

GP-GATEWAY {
roles {
default {
login-lifetime {
days 30;
}
inactivity-logout {
hours 3;
}
disconnect-on-idle {
minutes 180;
}
}
}
client-auth {
GPG-CLIENT-AUTH {
authentication-profile "Local-Database Authentication";
os Any;
authentication-message "Enter login credentials";
}
}
remote-user-tunnel-configs {
GPG-Agent {
authentication-override {
generate-cookie no;
}
split-tunneling {
access-route 192.168.1.0/24;
exclude-access-route;
}
source-user any;
authentication-server-ip-pool;
ip-pool 192.168.250.0/24;
os any;
retrieve-framed-ip-address no;
no-direct-access-to-local-network no;
}
}
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
tunnel-mode yes;
remote-user-tunnel tunnel.3;
}

Anybody that can help me out with this.

Re: Global Protect config problem: The server certificate is invalid.

kiwi — Fri, 09 Mar 2018 08:19:45 GMT

Hi @GOMEZZZ,

You might be running into the following issue :

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-When-Trying-to-connect/ta-p/57043

Hope this helps.

Cheers !

-Kiwi.

Re: Global Protect config problem: The server certificate is invalid.

GOMEZZZ — Wed, 14 Mar 2018 07:53:49 GMT

Hi Kiwi,

It doesnet seem to be related to this issue.

Frederik.

Re: Global Protect config problem: The server certificate is invalid.

AndyC_234 — Thu, 15 Mar 2018 08:23:26 GMT

If you have a certificate on your IP; instead of your hostname; you need to change the external gateway FQDN name to the IP and not use fw.relianet.be

So change this:

gateways {external {list {fw.relianet.be {fqdn fw.relianet.be;priority-rule {Any {priority 1;}}

To this:

gateways {external {list {fw.relianet.be {fqdn <your IP address>;priority-rule {Any {priority 1;}}

A-

Re: Global Protect config problem: The server certificate is invalid.

GOMEZZZ — Thu, 15 Mar 2018 15:06:45 GMT

Hi andy,

I have a certificate with subject and SAN set to fw.relianet.be

I modified it as you suggest for testing but still have the same result:

gateways {
          external {
            list {
              fw.relianet.be {
                ip {
                  ipv4 81.83.18.57;
                }
                priority-rule {
                  Any {
                    priority 1;
                  }

If you need any other output screenshots please let me know.

Tnx,

Frederik.

Re: Global Protect config problem: The server certificate is invalid.

AndyC_234 — Thu, 15 Mar 2018 15:26:17 GMT

I would enable the debugger on the client, and see why it's not accepting your cerftificate, it will tell you exactly what is wrong.

If you right click on your client, you can choose "Collect Logs", open that zipfile and open PanGPS.log.

Look for anything related to SSL:

(T21656) 03/12/18 15:19:20:667 Debug( 322): Open_SSL_connection: subject '/C=US/ST=West Virginia/L=Charleston/O=xxxxxxxxx (US) Inc./OU=IS/CN=*.xxxxxxx.com'
(T21656) 03/12/18 15:19:20:667 Debug( 326): Open_SSL_connection: issuer '/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA'
(T21656) 03/12/18 15:19:20:667 Debug(1006): Name vpn.xxxxxxxxx.com matches pattern *.xxxxxxx.com
(T21656) 03/12/18 15:19:20:667 Debug( 923): Cert name check of *.xxxxxxx.com succeeded

Re: Global Protect config problem: The server certificate is invalid.

GOMEZZZ — Thu, 15 Mar 2018 15:50:03 GMT

6:39:52:897 Debug( 545): Failed to connect to 81.83.18.57 on 443 with return error -1 and socket error 0(The operation completed successfully.)
(T5540) 03/15/18 16:39:52:897 Debug( 697): do_tcp_connect() failed
(T5540) 03/15/18 16:39:52:897 Error(7700): ConnectSSL: Failed to connect to '81.83.18.57:443'. Disconnect ssl.
(T5540) 03/15/18 16:39:52:897 Debug(7711): Cannot get server cert of 81.83.18.57
(T5540) 03/15/18 16:39:52:897 Debug(5145): Already tried both ipv4 and ipv6 for gateway fw.relianet.be
(T5540) 03/15/18 16:39:52:897 Error(2845): Failed to verify server certificate of gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(4576): Show Gateway fw.relianet.be: The server certificate is invalid. Please contact your IT administrator.
(T5540) 03/15/18 16:39:52:897 Info (2148): Failed to retrieve info for gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(2155): tunnel to fw.relianet.be is not created.
(T5540) 03/15/18 16:39:52:897 Error(3876): NetworkDiscoverThread: failed to discover external network.
(T5540) 03/15/18 16:39:52:897 Debug(4733): --Set state to Disconnected

I also remove the global protect client and clear the folders in C:\Users\username\appddata\local\Palo alto\...

Everytime i change something.

Re: Global Protect config problem: The server certificate is invalid.

SturgisIT — Wed, 06 Nov 2019 19:40:02 GMT

Was this ever resolved? - I see the exact type errors in my log and its not clear where to go from here.

Re: Global Protect config problem: The server certificate is invalid.

FarzanaMustafa — Wed, 06 Nov 2019 22:38:55 GMT

@GOMEZZZ ,

Please check the following.

- Try with a different version of GP.

- It can happen if you have external root CA. Please try to install a client certificate issued by your domain server(Root CA).
Also make sure two things below.
- Add Root CA, PAN Forward Trust certificate in CA certificates under Certificate Profile
- Add Root CA, PAN Forward Trust certificate in Trusted Root CA under GP portal config.

Invalid http response

Mrahman1 — Sat, 25 Apr 2020 03:34:13 GMT

Hello Team,

I am having the below issue and I do enter my "Local Credentials" but nothing happens. Please help me.

invalid http response. return error(Credential authentication failed; Retry authentication). - 04/24/2020 21:42:09 (enter credentials)

Thank you,

Mohammad Rahman

Re: Global Protect config problem: The server certificate is invalid.

trivers01 — Sat, 23 May 2020 00:02:47 GMT

hey @GOMEZZZ

I know it's been a while since you'v made this post, but I hope this message finds you well.

Based on the PanGPS logs you've previously posted, the Agent is unable to verify the server certificate used for the Gateway SSL/TLS profile.

Common issues for this would include CN mismatch, as mentioned before by other community members, and incorrect certificate deployment: eg the Agent is unable to follow the full chain. A quick way to test this is using your local browser to connect and reviewing the output messages.

Could you please confirm the following:

1. The root (and intermediate if applicable) CA(s) used to sign the imported Portal/Gateway certificate are deployed in the correct directories on the endpoint

2. The server certificate used for the Portal/Gateway has the correct CN (and SAN if applicable) attribute

I've included documentation discussing the certificate deployment options for GlobalProtect below for your reference also.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/get-started/enable-ssl-between-globalprotect-components/deploy-server-certificates-to-the-globalprotect-components.html

-Cheers