Unable to Access Web Console via HTTP or HTTPS

Printer Friendly Page

Issue

Unable to access web console via HTTP or HTTPS. Access via SSH is possible.

 

Resolution

This could be due to the absence of the Web GUI certificate. Since SSH access is possible, a new certificate can be created from the CLI. The following command will generate a certificate named webuicertdemo with a FQDN of panlab.com:

> request certificate generate certificate-name webuicertdemo name panlab.com

 

To make use of this certificate for Web-UI purpose, enter the following command:

> configure
# set deviceconfig system web-server-certificate webuicertdemo
# commit
# exit

 

Starting from PAN-OS 7.0 the procedure is slightly different:

 

> request certificate generate ca yes certificate-name <cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048

> configure

# set shared ssl-tls-service-profile <profile name> certificate <cert name> protocol-settings min-version tls1-0 max-version tls1-2
# set deviceconfig system ssl-tls-service-profile <profile name>
# commit
# exit

 

owner: bpappas

Comments

Hey is there a way to do this on the cli, I cannot get to the GUI on http or https

Thanks

Hello,

 

How to use a SSL certifiate for WebUI access that has been signed by internal CA (from a CSR generted on the PA device) ?

 

Indeed, the customer need to have the WebUI certificate signed by its own CA.

 

I have generated the CSR from the PA using the customers certificate attributes (OU, CN, ...). Then I have exported the CSR and provided it to my customer. The customer used its CA to sign the certificate and he provided me with the Base64 signed certificated that I imported in the PA device.

 

Regards,

 

Laurent

From this documentation it looks like internal CA is not supported for the web UI.  See the chart.

 

https://live.paloaltonetworks.com/t5/Management-Articles/SSL-certificates-resource-list/ta-p/53068

For one of our customers the webgui cert has expired and was unable to login to the GUI, but still had SSH access.

The above instructions are not entirely correct starting with PAN-OS 7.0. Here is what we did (basically the CLI equivalent of article 68653):

 

> request certificate generate ca yes certificate-name <cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048

# configure

# set shared ssl-tls-service-profile <profile name> certificate <cert name> protocol-settings min-version tls1-0 max-version tls1-2

# set deviceconfig system ssl-tls-service-profile <profile name>

# commit

 

 

 

Thank you @JBal, I've updated the article with your info! :)

@reaper: Thank you.

 

One more note to add: I asked myself why we did not get any warnings to avoid this scenario?

Than I found that there is a Certificate Expiration Check option under Device > Setup > Management > General Settings, which is disabled by default.

This will instruct the firewall to create warning messages when on-box certificates near their expiration dates.