topic Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com in General Topics

Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

Johndbabio1 — Sun, 20 Jun 2021 01:38:06 GMT

issue1:

I am having issues with getting Panorama and firewalls connected up to datalake. I opened a case and i am told it can't connect to api.paloaltonetworks.com. I have pcap that says otherwise. There is no ssl decryption in between. Its frustrating when you spend serious amount of money on this storage and it doesn't work.

issue2:

I am have a hard time find nice straight forward instructions on how to get panorama managed firewalls along with panorama setup with datalake. The instructions are all over the place. If someone has instructions they followed, preferably including the cert generation from the cloud services that would be really helpful.

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

BPry — Sun, 20 Jun 2021 03:26:25 GMT

@Johndbabio1,

Are you allowing your firewalls to communicate with ocsp.paloaltonetworks.com and crl.paloaltonetworks.com? The error your getting is simply stating that they can't validate the certificate of api.paloaltonetworks.com, not that it's not able to reach api.paloaltonetworks.com. Take a look at the required communication document and make sure you can actually communicate to all of the required FQDNs and that you're actually allowing all of the necessary traffic to pass.

What documentation are you attempting to follow? The Getting Started documentation will walk you through how you go about setting this up in a step by step fashion.

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

Johndbabio1 — Sun, 20 Jun 2021 04:47:02 GMT

tail follow yes mp-log lcaas_agent.log

2021-06-19 23:16:59,171 lcaas_agent INFO source interface: src route sysd str: cfg.net.s0.srcif
2021-06-19 23:16:59,171 lcaas_agent INFO source interface: src_table: {'refresh': 300}
2021-06-19 23:16:59,171 lcaas_agent INFO Server not passed in. Picking up from cfg.lcaas-orch-server-domain sysd node
2021-06-19 23:16:59,179 lcaas_agent INFO LCaas server port not passed in. Picking up from cfg.lcaas-orch-server-port sysd node
2021-06-19 23:17:59,239 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:19:01,270 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:20:03,296 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:21:05,322 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:22:07,347 lcaas_agent ERROR Failed to fetch LCaaS server cert for validation check after 5 retries
2021-06-19 23:22:07,348 lcaas_agent ERROR Failed to validate server certificate for endpoint api.paloaltonetworks.com

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

oadrian — Fri, 06 May 2022 05:08:17 GMT

Did you find a solution to this one?

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

Silas1 — Wed, 14 Sep 2022 22:30:45 GMT

Engineers will find solutions for everything else not the LCaaS errors. i think we must accept that not even the programmers at Palo Alto can fix this.

Why is it difficult for the solution to this problem to be posted?

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

chmotley — Tue, 10 Jan 2023 04:45:17 GMT

I know this is a late reply, but have you checked this doc? The one command: request logging-service-forwarding customerinfo [show|fetch] was pretty helpful - error message showed me I was getting SSL handshake rejected.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMXKCA4

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

apiche1 — Fri, 18 Apr 2025 15:01:37 GMT

Bump for an old thread, however I found more relevant information.

1.) 3rd Gen firewalls (PA-800s, PA-3200s, PA-5200s) did NOT come with the Device Certificate. You have to fetch it using the OTP method (from Device Certificate in Support Portal). "request certificate fetch otp ##############################"
2.) Run the "request logging-service-forwarding status" If you are missing the Logging Service Certificate (see screenshot), then run "request logging-service-forwarding customerinfo fetch"
3.) Port TCP/444 has to be open for the firewall to fetch server certificate when doing the "request logging-service-forwarding customerinfo fetch" command (see screenshot)

I found this helpful trying to get IoT Security working on a PA-3220. We were not seeing any devices make it to the IoT dashboard until the Device Certificate and the Logging Server Certificate was fetched successfully.

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

Brandon_Wertz — Mon, 21 Apr 2025 13:41:09 GMT

@apiche1 wrote:

Bump for an old thread, however I found more relevant information.

1.) 3rd Gen firewalls (PA-800s, PA-3200s, PA-5200s) did NOT come with the Device Certificate. You have to fetch it using the OTP method (from Device Certificate in Support Portal). "request certificate fetch otp ##############################"
2.) Run the "request logging-service-forwarding status" If you are missing the Logging Service Certificate (see screenshot), then run "request logging-service-forwarding customerinfo fetch"
3.) Port TCP/444 has to be open for the firewall to fetch server certificate when doing the "request logging-service-forwarding customerinfo fetch" command (see screenshot)

I found this helpful trying to get IoT Security working on a PA-3220. We were not seeing any devices make it to the IoT dashboard until the Device Certificate and the Logging Server Certificate was fetched successfully.

GL, trying to stand-up IoT. I've been evaluating it at my company for ~6ish months. We did finally get it added to our ELA. It seems like a great feature, but still has a lot of quirks we're working through with them.