For details on cookie usage on our site, read our Privacy Policy
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
- LIVEcommunity
- Collaboration
- Discussions
- Endpoint (Traps) Discussions
- ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-18-2020 07:32 AM
I have installed a Trap agent and certificate in Red Hat 6 successfully. But when I try to pull a Trap log. The error message occurs, ERROR: 14090086: SSL routines: SSL 3_GET_SERVER_CERTIFICATE: certificate verify failed What could be for this error coming.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-31-2020 07:15 PM
Hi there,
Please see step 3 in the document listed at this URL:
Do you know if the 3 certs are trusted on the Linux server in question?
David Falcon
Solutions Architect, Cortex
Palo Alto Networks®
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-27-2020 07:29 AM
Hello,
has anyone had luck installing Cortex Agent to Linux Mint 20? I have had no issues running Ubuntu Linux (20.04 LTS), but keep getting the "SSL Exception: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed" error on Mint.
Certificates are installed the same way as on Ubuntu, openssl verification to the server is successful.
Thanks, best regards
Martin
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-19-2021 05:08 AM - edited 07-19-2021 01:25 PM
It's seems a problem between PA's kubernetes config and some version of openssl <1.1.1, because in 1.1.1 they change the behavior:
s_client will now send the Server Name Indication (SNI) extension by default unless the new "-noservername" option is used. The server name is based on the host provided to the "-connect" option unless overridden by using "-servername".
This works on modern distros (openssl > 1.1.0i) but not in Centos 6 (1.0.1e):
openssl s_client -connect distributions.traps.paloaltonetworks.com:443
CONNECTED(00000003)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
...
In Centos 6 you need to set the TLS SNI with -servername
openssl s_client -servername distributions.traps.paloaltonetworks.com -connect distributions.traps.paloaltonetworks.com:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
...
Relevant info to fix this on the server side:
https://www.ssllabs.com/ssltest/analyze.html?d=distributions.traps.paloaltonetworks.com&latest
https://github.com/kubernetes/ingress-nginx/issues/1984
https://github.com/kubernetes/ingress-nginx/issues/6398
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
- How to identify pinned certificates? in Next-Generation Firewall Discussions
- SAML Jumpcloud HA Implementation in General Topics
- Third party SSL cert for Global Protect in GlobalProtect Discussions
- Issues with GlobalProtect Pre-logon on Mac in GlobalProtect Discussions
- Global Protect connection Failed could not verify the server certificate of the gateway in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
