This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Failed to renew device certificate. Failed to send request to CSP server.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failed to renew device certificate. Failed to send request to CSP server.

Jason_Tong
L1 Bithead

‎09-27-2021 02:10 AM

We have error log pa which version is 8.1

And we following the KB, no error log again.

However, the paorama show still failed...

 

How log can auto check the cert status?

Can us manually check? restart management plane in panorama?

In version 9.1 before, where can verify the cert status and what is the cert use for?

 

Jason_Tong_0-1632733510437.png

 


Failed to renew device certificate. Failed to send request to CSP server. Error: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificatetrusted.paloaltonetworks.com:443

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBgsCAG&lang=en_US%E2%80%A...

 

 

0 Likes Likes
3 REPLIES 3

PavelK
Cyber Elite
Cyber Elite

‎09-27-2021 04:04 AM

Thank you for the post @Jason_Tong 

 

Device Certificate is not supported in PAN-OS 8.1 yet. If you try to provision a Device Certificate from Panorama by sending: Request OTP from CSP, then you should see that field for Device Certificate is empty:

PavelK_0-1632740534058.png

This is probably reason why you are getting this error. After you upgrade your managed Firewall to version 9.1, you should be able to provision Device Certificate.

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Jason_Tong
L1 Bithead
In response to PavelK

‎09-27-2021 06:24 AM

Thank you for reply.

 

We verity the rule find out.

The url has different.

Old: certificate.paloaltonetworks.com

New: certificatetrusted.paloaltonetworks.com

But we see the correct IP is -  35.238.43.180

Two URL is the same?

 

 

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎10-04-2021 04:13 PM

Thank you for reply @Jason_Tong and sorry for getting back to you with delay.

 

I tried to replicate your environment to reproduce the issue. First of all I gave you misleading information in my earlier reply. Device Certificate is indeed supported in later maintenance releases of PAN-OS 8.1. In my case after I installed PAN-OS 8.1.20, I was able to see under: Setup > Management > Device Certificate the option to enroll Device Certificate.

 

In my Lab environment, I did not have an issue to request Device Certificate, so unfortunately I was not able to reproduce it, however I could confirm that this traffic goes over management interface unless you configured: Service Route. In order to troubleshoot this further, could you take packet capture on management interface while while you provision Device Certificate: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS ?

 

Are you facing the same issue when you request Device Certificate locally from Firewall instead through Panorama?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks