topic Re: Certificate Validation not working in General Topics

Certificate Validation not working

SoerenMindorf — Mon, 19 Apr 2021 12:05:02 GMT

Hi all,

hope you are doing well!

I've a little probelm with the certificate validation.

I've changed the DDNS provider to a custom one bit certifiate validation dows not work.

PAN OS: 10.0.5

First what I've done on CLI:

set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-api-host value updates.dnsomatic.com set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-baseuri value /nic/update set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-username value username set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-password value password

My Certificate Profile looks like this:

And the certificate for Hydrant:

As my opinion it should work but I got the following error:

And the pcap:

The server send the right certificate but the Palo will not verify it.

Any hints?

Thanks,

Sören

Re: Certificate Validation not working

nikoolayy1 — Tue, 20 Apr 2021 05:47:20 GMT

There are many posts for such issues. I think that that the SSL certfificate you added in the certficate profile is intermidiate certficate and you also need to download, import and add to the certficate prfile the root CA certficate of the root CA provider for Hydrant. Read the link below to see how people solved this issue:

https://live.paloaltonetworks.com/t5/general-topics/dyndns-client-on-panos-9-0/m-p/252050

Re: Certificate Validation not working

SoerenMindorf — Tue, 20 Apr 2021 10:32:31 GMT

@nikoolayy1 you are right, but I've done it already without success.

Today I've tested again:

I used the ROOT-CA too, the status of ddns was only "initalizing" and didn't change.

I've restarted the dns-proxy with

> debug software restart process dnsproxy

Now it is working.

The process restart did it.