Failed to renew device certificate. Failed to send request to CSP server.

cancel
Showing results for 
Search instead for 
Did you mean: 

Failed to renew device certificate. Failed to send request to CSP server.

L1 Bithead

We have error log pa which version is 8.1

And we following the KB, no error log again.

However, the paorama show still failed...

 

How log can auto check the cert status?

Can us manually check? restart management plane in panorama?

In version 9.1 before, where can verify the cert status and what is the cert use for?

 

Jason_Tong_0-1632733510437.png

 


Failed to renew device certificate. Failed to send request to CSP server. Error: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificatetrusted.paloaltonetworks.com:443

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBgsCAG&lang=en_US%E2%80%A...

 

 

3 REPLIES 3

L4 Transporter

Thank you for the post @Jason_Tong 

 

Device Certificate is not supported in PAN-OS 8.1 yet. If you try to provision a Device Certificate from Panorama by sending: Request OTP from CSP, then you should see that field for Device Certificate is empty:

PavelK_0-1632740534058.png

This is probably reason why you are getting this error. After you upgrade your managed Firewall to version 9.1, you should be able to provision Device Certificate.

 

Kind Regards

Pavel

 

Pavel Kucera

Thank you for reply.

 

We verity the rule find out.

The url has different.

Old: certificate.paloaltonetworks.com

New: certificatetrusted.paloaltonetworks.com

But we see the correct IP is -  35.238.43.180

Two URL is the same?

 

 

L4 Transporter

Thank you for reply @Jason_Tong and sorry for getting back to you with delay.

 

I tried to replicate your environment to reproduce the issue. First of all I gave you misleading information in my earlier reply. Device Certificate is indeed supported in later maintenance releases of PAN-OS 8.1. In my case after I installed PAN-OS 8.1.20, I was able to see under: Setup > Management > Device Certificate the option to enroll Device Certificate.

 

In my Lab environment, I did not have an issue to request Device Certificate, so unfortunately I was not able to reproduce it, however I could confirm that this traffic goes over management interface unless you configured: Service Route. In order to troubleshoot this further, could you take packet capture on management interface while while you provision Device Certificate: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS ?

 

Are you facing the same issue when you request Device Certificate locally from Firewall instead through Panorama?

 

Kind Regards

Pavel

Pavel Kucera
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!