Certificate Validation not working
cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate Validation not working

L0 Member

Hi all,

hope you are doing well!

I've a little probelm with the certificate validation.

I've changed the DDNS provider to a custom one bit certifiate validation dows not work.

PAN OS: 10.0.5

First what I've done on CLI:

set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-api-host value updates.dnsomatic.com
set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-baseuri value /nic/update
set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-username value username
set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-password value password

Image 4.png

 

My Certificate Profile looks like this:

Image 5.png

 

And the  certificate for Hydrant:

Image 3.png

As my opinion it should work but I got the following error:

Image 2.png

 

And the pcap:

Image 1.png

The server send the right certificate but the Palo will not verify it.

Any hints?

Thanks,

Sören

 

The only winning move is not to play!
1 ACCEPTED SOLUTION

Accepted Solutions

@NikolayDimitrov you are right, but I've done it already without success.

Today I've tested again:

I used the ROOT-CA too, the status of ddns was only "initalizing" and didn't change.

I've restarted the dns-proxy with

> debug software restart process dnsproxy

 

Now it is working.

The process restart did it.

The only winning move is not to play!

View solution in original post

2 REPLIES 2

L4 Transporter

There are many posts for such issues. I think that that the SSL certfificate you added in the certficate profile is intermidiate certficate and you also need to download, import and add to the certficate prfile the root CA certficate of the root CA provider for Hydrant. Read the link below to see how people solved this issue:

 

 

https://live.paloaltonetworks.com/t5/general-topics/dyndns-client-on-panos-9-0/m-p/252050

@NikolayDimitrov you are right, but I've done it already without success.

Today I've tested again:

I used the ROOT-CA too, the status of ddns was only "initalizing" and didn't change.

I've restarted the dns-proxy with

> debug software restart process dnsproxy

 

Now it is working.

The process restart did it.

The only winning move is not to play!

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!