This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Certificate Validation not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Certificate Validation not working

Go to solution
SoerenMindorf
L0 Member

‎04-19-2021 05:05 AM

Hi all,

hope you are doing well!

I've a little probelm with the certificate validation.

I've changed the DDNS provider to a custom one bit certifiate validation dows not work.

PAN OS: 10.0.5

First what I've done on CLI:

set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-api-host value updates.dnsomatic.com
set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-baseuri value /nic/update
set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-username value username
set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-password value password

Image 4.png

 

My Certificate Profile looks like this:

Image 5.png

 

And the  certificate for Hydrant:

Image 3.png

As my opinion it should work but I got the following error:

Image 2.png

 

And the pcap:

Image 1.png

The server send the right certificate but the Palo will not verify it.

Any hints?

Thanks,

Sören

 

The only winning move is not to play!
(1)
1 accepted solution

Accepted Solutions

Go to solution
SoerenMindorf
L0 Member
In response to nikoolayy1

‎04-20-2021 03:32 AM

@nikoolayy1 you are right, but I've done it already without success.

Today I've tested again:

I used the ROOT-CA too, the status of ddns was only "initalizing" and didn't change.

I've restarted the dns-proxy with

> debug software restart process dnsproxy

 

Now it is working.

The process restart did it.

The only winning move is not to play!

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
nikoolayy1
L6 Presenter

‎04-19-2021 10:47 PM

There are many posts for such issues. I think that that the SSL certfificate you added in the certficate profile is intermidiate certficate and you also need to download, import and add to the certficate prfile the root CA certficate of the root CA provider for Hydrant. Read the link below to see how people solved this issue:

 

 

https://live.paloaltonetworks.com/t5/general-topics/dyndns-client-on-panos-9-0/m-p/252050

0 Likes Likes

Go to solution
SoerenMindorf
L0 Member
In response to nikoolayy1

‎04-20-2021 03:32 AM

@nikoolayy1 you are right, but I've done it already without success.

Today I've tested again:

I used the ROOT-CA too, the status of ddns was only "initalizing" and didn't change.

I've restarted the dns-proxy with

> debug software restart process dnsproxy

 

Now it is working.

The process restart did it.

The only winning move is not to play!
0 Likes Likes
  • 1 accepted solution
  • 2836 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks