The SSL certificate error" causing Panorama to not Display Logs from the logging-service"
Resolution
Overview
Firewalls are forwarding logs to the logging service as verified by the output of 'show logging-status' CLI command run on the Palo Alto Networks firewall.
However, Panorama fails to display the logs/data under the Monitor or ACC tabs due to SSL certificate errors as shown on Panorama CLI below:
Panorama_CLI
> request plugins cloud_services logging-service status
pass
{"@status": "success", "result": {"PODamericas": {"message": "<html>\r\n<head><title>400 The SSL certificate error</title></head>\r\n<body b
gcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>The SSL certificate error</center>\r\n<hr><center>openresty</cente
r>\r\n</body>\r\n</html>\r\n", "result": 400}}}
The same error can be found in lcaas_agent.log. CLI Command - "tail follow yes mp-log lcaas_agent.log" or "less mp-log lcaas_agent.log"
2018-08-27 11:01:40,116 lcaas_agent ERROR Invalid response : <html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>openresty</center>
</body>
</html>
Resolution
To resolve this issue, please follow the following steps:
1. Delete the exiting Panorama-certificate using the following command on the Panorama CLI -
Panorama_CLI
> request plugins cloud_services panorama-certificate delete
pass
2. Re-fetch the certificate from the Customer Support Portal.
Panorama_CLI
> request plugins cloud_services panorama-certificate fetch otp
<value> One time password to generate the certificate
OTP that can be generated on the Customer Support Portal > Assets > Cloud Services > Generate OTP by selectig the correct Panorama Serial number.
Panorama_CLI
> request plugins cloud_services panorama-certificate fetch otp af6b28128b85c08793af209c89067e3df91ae1965e4005a6d720
d0b8a0c0bc72c67f0f4afcbd18409552d636e841a9620908ccb4
59146fc5e67be91c0f8c5cc7cb3aafb6c11dff53bb250d698d74
8cac18cf39473af25c2c540dc925e19c3af8f2e815db98f8a065
16fa8b050048cccc82e73a7d3a5e287984fa84ad1e6cb79ca105
7f7757c09d792d4bf1d69f67961ccd9f1a32d159c40a2c60f020
442faa9999b1e085619a053c852657fbb80d1dab7cce759b4d46
b6c010a82502281ed743
-----BEGIN CERTIFICATE-----
MIIFEjCCA3qgAwIBAgIIFypNIkISvJQwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVVMxIDAe
BgNVBAoTF1BhbG8gQWx0byBOZXR3b3JrcyBJbmMuMTQwMgYDVQQDDCtQYWxvX0FsdG9fTmV0d29y
a3MtU0pDLUNsaWVudC1Jc3N1aW5nLUNBLUcxMB4XDTE4MDgyNzE4MTA1OFoXDTE4MTEyNTE4MTA1
OFowgYAxCzAJBgNVBAYTAlVTMSAwHgYDVQQHDBdQYWxvIEFsdG8gTmV0d29ya3MgSW5jLjElMCMG
A1UECwwcUGFsbyBBbHRvIE5ldHdvcmtzIEluYyBDbG91ZDEVMBMGA1UEBRMMMDAwNzAyNjA5MzYz
MREwDwYDVQQDDAg0Mjc3MzAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrNhdwp
O4BFqElCH2uKaFArezCI4tj10qusqdN13e32eun5DGsgGZXojuUWyetDaK2+mgKr2ajbX+lo+Rl1
8qjC/FEidsFAZSb3Vyqf+SMEzqwdmM9dH4idialBy7I97xyRIFP/oODEgje7jTmscG82NvQ46IyF
nJLrjrQWCDOaAXki8p81E1WV365oSIcn1LGbAbV1IPSx+2beU0VKQn8oEAfGPnZtzA2A4NS9ZWax
UbJFS7rwVcJjl6eG9vBOwl+gCyuvIGo1iJXw5ly32ckjCT3urmj4zoth3XYnQo2EwZDTCp+3+11y
EPwrh79TlZpD5j+7RashJbK75oQSJ0kCAwEAAaOCASgwggEkMAwGA1UdEwEB/wQCMAAwHwYDVR0j
BBgwFoAUMHlZA6E7Jsji4EfU3rbG13ZD6HcwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVo
dHRwOi8vb2NzcC5wYWxvYWx0b25ldHdvcmtzLmNvbS9vY3NwMBkGA1UdIAQSMBAwDgYMKwYBBAGB
xnUDAgMDMBMGA1UdJQQMMAoGCCsGAQUFBwMCMFEGA1UdHwRKMEgwRqBEoEKGQGh0dHA6Ly9jcmwu
cGFsb2FsdG9uZXR3b3Jrcy5jb20vcGFuLXNqYy1jbGllbnQtaXNzdWluZy1nMS1jYS5jcmwwHQYD
VR0OBBYEFFf5jIlZpfMsAN2Lb37zddE2OLvYMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQsF
AAOCAYEAVDbuCO05rC3R21fJznhGYN21lGxFQ5hMJRlCM9v42GJXPOHl8Q//kXRUeDhJb8WFRXgR
Q+AClvGCtwxWNePcWfigRbKCoBdsB3vwE0/gzQplnxD48RVRilYhiPcDC/8DhXUwnHtbIiXWcgkS
q32uqzRB3dD/vqhnfkz6LNWpWUaCvH4tMW4i1MkEohEBpgkCHlsgfe134VR/xQ5LlB90D1MA4y8u
qP5f1eow46oYpG0bd1Npm8L4mkTr2ZXz5r/UZSRzaS2cTUcM36AE6XnGrTbiSJHkvR1d8KEzOv24
z5e2bftrkgIMSAKcnPpuxyjGscvZOAAc8tbVTXRf24x2IkyhlLMOB4jWbvzHjDCDRV5YG7+/NmDH
UsqxObjGO2fFwo1b3ASi987rMWkqpqtfMDnu7ZYg0DCgsU3VEyom+3A/TsLuyJFxy8tqcEBFzB+T
aVWovsv4G6tyXSEvrq/X5WicvYN732mmAeQ2JnZI9AUHFOHUfx+DQX++9LhQz0wt
-----END CERTIFICATE-----
Success
3. You will see a Success status at the end if the certificate fetch is successful. Then, verify if Panorama can establish a successful SSL connection with the logging service by running the following command which had been throwing 'SSL Certificate errors" previously.
Panorama_CLI
> request plugins cloud_services logging-service status
pass
{"@status": "success", "result": {"PODamericas": {"name": "americas", "Status": {"type": "status", "value": "OK", "tooltip": "OK"}, "@num_in
stances": 5, "Storage Used (TB)": {"type": "number", "value": "2.187982", "limit": 5}, "Estimated Log Retention (Days)": 88, "entry": [{"nam
e": "Americas", "Status": {"type": "status", "value": "OK", "tooltip": "OK"}, "infra-audit-utilization": {"header": ["Infrastructure and Aud
it Logs", "Utilization"], "type": "number", "value": 24.86, "limit": 512, "unit": "GB"}, "infra-audit-retention": {"header": ["Infrastructur
e and Audit Logs", "Retention"], "type": "number", "value": 122, "unit": "Days"}, "detail-utilization": {"header": ["Detailed Logs", "Utiliz
ation"], "type": "number", "value": 1887.66, "limit": 2048, "unit": "GB"}, "detail-retention": {"header": ["Detailed Logs", "Retention"], "t
ype": "number", "value": 88, "unit": "Days"}, "summary-utilization": {"header": ["Summary Logs", "Utilization"], "type": "number", "value":
284.32, "limit": 768, "unit": "GB"}, "summary-retention": {"header": ["Summary Logs", "Retention"], "type": "number", "value": 102, "unit":
"Days"}, "@quota_info": {"quota_details": "{\"log-disk-quota\":{\"detailed\":40,\"infra-audit\":10,\"summary\":15},\"@name\":\"americas\",\"
theater-quota\":{\"quota_count\":5}}", "quota_count": 5}}]}}}
4. Now, Panorama should display the logs it queries from the Logging Service under Monitor and ACC tabs.