topic Re: Failed to renew device certificate in General Topics

Failed to renew device certificate

kbe — Wed, 17 Mar 2021 11:37:43 GMT

the device certificate is going to expire end of march.

My PA trys to renew it and comes up with the following error:

Failed to renew device certificate.Failed to send request to CSP server.Error: No OCSP response received(dest => 35.238.43.180)

I have no telemetry enabled.

Just activated the certificate with OTP on 2020/12/29 after upgrading to PanOS 9.1.7.

Now it´s the first try of my PA to renew it.

The only thing i found relates to PanOS 9.1.8 wich seems to fix another error with device certificate:

Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP):

invalid ocsp response sig-alg

Any ideas where to look for?

TIA

Re: Failed to renew device certificate

LGCoelho — Wed, 17 Mar 2021 14:38:02 GMT

Have you checked your conectivity to certificate.paloaltonetworks.com?

I've just installed a new certificate for a Panorama, worked ok.

Re: Failed to renew device certificate

kbe — Wed, 17 Mar 2021 15:04:48 GMT

Last traffic to ( url eq 'certificate.paloaltonetworks.com' ) was on 12/29 when the certificate was installed the first time.

No block / deny or other traffic to this url or ip since then.

Seems the PA ist trying to connect to 35.238.43.180 and there is no deny for it.

The mgmt interface has an allow rule but the renew is not working.

This was the traffic from the last 2 days to https://certificatetrusted.paloaltonetworks.com/

The Root CA Palo Alto Networks Inc.-Root-CA G1 that signed the cert for certificatetrusted.paloaltonetworks.com

is not trusted if you browse to the url. But that should not be the problem.

Re: Failed to renew device certificate

KoShy — Thu, 18 Mar 2021 10:12:37 GMT

I have exactly same problem on many devices in different configurations. Nothing is blocked, DNS resolves OK.

Re: Failed to renew device certificate

kbe — Thu, 18 Mar 2021 11:15:35 GMT

Today i requested a new OTP and choose to Get Certificate on the PA which revokes the actual cert and requests a new one.

The new Cert request finished without problems.

Now i wait til 16-06 to see if the next renew will work automatically or if the problem comes up again.

Re: Failed to renew device certificate

Administrator.Klina — Thu, 18 Mar 2021 12:26:40 GMT

same problem here, i also renew the certificates using one-time password.

Re: Failed to renew device certificate

Housing1 — Sun, 02 Jan 2022 16:37:08 GMT

allow app 'paloalto-shared-services' to mgmt console rule, your most likely getting blocked. I was

Re: Failed to renew device certificate

Jaysta — Wed, 16 Feb 2022 14:25:27 GMT

Thanks, this is what helped me with getting the device cert installed on a couple of new firewalls.

Re: Failed to renew device certificate

Jason_Lieberman — Wed, 21 Sep 2022 18:44:36 GMT

My cert expires in 31 days and I see no way to renew it. I don't have a way to track the firewalls attempts since this happens via the mgmt interface. All I see is the graphic below and it doesn't look like it's tried to connect to the server since the cert was issued.

How do I renew it?

Re: Failed to renew device certificate

kbe — Thu, 13 Oct 2022 07:37:22 GMT

The Palo normally fetches a new cert by itself before the other expires. There should be no need to get it manually under normal conditions.

I see a link with get certificate wich i used the last time (see my older posting from 2021-03-18).

Re: Failed to renew device certificate

Jason_Lieberman — Thu, 13 Oct 2022 14:58:11 GMT

I have no such link.

Re: Failed to renew device certificate

kiwi — Mon, 17 Oct 2022 10:12:55 GMT

Hi @Jason_Lieberman ,

There's a way to fetch it using the CLI:

admin@PA-LAB> request certificate fetch otp <value>

replace <value> with the OTP generated on the support portal.

Hope this helps,

-Kiwi.

Re: Failed to renew device certificate

Jason_Lieberman — Mon, 17 Oct 2022 13:30:13 GMT

While the 'request certificate fetch otp' is not a valid command on my 440. 'request certificate fetch' is. When I ran that is managed to get a new cert. I'm shocked! It's been failing for a few weeks now and TAC is stumped as to why.

Thank you for that.

Re: Failed to renew device certificate

niavasha — Thu, 10 Nov 2022 12:09:51 GMT

Try the solution here on the 440 - it works luckily : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NlxCAE

Re: Failed to renew device certificate

niavasha — Thu, 10 Nov 2022 12:11:23 GMT

Then ssh in and try simply:

 request certificate fetch

Re: Failed to renew device certificate

JoeCheng — Mon, 27 Mar 2023 04:43:30 GMT

PA-5450 PAN-OS 10.2.3-h4 憑證已經過期無法自動更新
我嘗試你的Cli，它可以運作，憑證更新成功了~ Thank you