Expedition Articles
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Featured Article
Access Expedition GUI Using Google Chrome with Certification Error   Symptoms Can't access Expedition GUI using Google chrome, error message 'NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website.  Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.   View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID Diagnosis For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL.   Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en   Solution Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition: SSH to Expedition cd to /tmp Modify req.conf by issue below command: $ sudo vi req.conf copy and past below section in req.conf, modify attributes in the file to match your organization ........................................................................................ [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ( Replace this with your county name) ST = VA  ( Replace this with your state name) L = SomeCity  ( Replace this with your city name) O = MyCompany ( Replace this with your company name) OU = MyDivision ( Replace this with your organization name) CN = 192.168.44.131 ( Replace this IP with your Expedition IP ) [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP ) DNS.2 = company.com  DNS.3 = company.net ........................................................................................       saves the changes with ESC :wq!   Issue below commands in order: $ sudo openssl genrsa -out server.key 3072 -config req.conf $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf $ sudo cp server.key /etc/ssl/certs/ $ sudo cp certificate.pem /etc/ssl/certs/   Modify the default-ssl.conf by issue below command: $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf  Find below two lines in the default-ssl.conf and replace the path  SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key    with    SSLCertificateFile   /etc/ssl/certs/certificate.pem SSLCertificateKeyFile /etc/ssl/certs/server.key   saves the changes with ESC :wq   Restart Apache by issue below command: $ sudo systemctl restart apache2   Try access the Expedition GUI again Google chrome should now present you an option under "Advanced" to proceed to the URL. 
View full article
  • 54 Posts
  • 282 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Top Contributors