07-14-2025 06:13 AM
I'm receiving this error from our firewall every 2 minutes, I can't figure out what the cause is. The reason says "self signed certificate in certificate chain" but I don't know what self signed cert it is talking about. This has been working for years now, the cert selected on the firewall is the GoDaddy root from https://certs.godaddy.com/repository/gd-class2-root.crt.
The source URL is copied our Cortex XDR settings
https://EDL-MyXDRInstance.paloaltonetworks.com/block_list?type=domain
'EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won\'t impact your policy. EDL Name: Cortex Domains, EDL Source URL: https://<edl>.paloaltonetworks.com/block_list?type=domain, CN: *.xdr.us.paloaltonetworks.com, Reason: self signed certificate in certificate chain
07-14-2025 06:52 AM
Realizing now that it seems to have stopped at 5am CST this morning, so maybe this is resolved?
07-17-2025 05:30 AM
On same day we also encountered this issue related to the EDL and we also using external go daddy certificate. Have you found any fix from TAC?
We reached out to TAC and trying to find the root cause.
07-17-2025 07:44 AM - edited 07-17-2025 08:08 AM
Hello,
The digital certificate presented by edl-hxdr.xdr.us.paloaltonetworks.com has a chain issue.
https://www.ssllabs.com/ssltest/analyze.html?d=edl-hxdr.xdr.us.paloaltonetworks.com
To fix that you need to download the intermediate authority certificate and to import into your firewall, then mark the imported certificate as Trust Root CA Certificate.
To help you, I already downloaded the intermediate authority certificate and you can take it from this comment. Just unzip and upload the extracted certificate to your firewall.
If you want to know more how to fix incomplete chain issues, please have a look here: Repair Incomplete Certificate Chains
07-22-2025 11:39 AM
Hello @CosminM we have tried that procedure and it work it until we referenced the intermediate authority certificate into the certificate profile associated to the EDL. That was on a PA-440 without decryption.
We are trying to stop this alert on a PA-3220 with the same procedure but we still having the alert.
Has anyone fix this issue ?
07-24-2025 01:16 PM
We began having the same issue on our 3220. The certificate path has apparently changed. Before it was using GlobalSign. Now it's pointing to Godaddy. We have a TAC case open but the TAC doesn't seem to know what the issue is either. I've tried the suggested fixes, including the one on this thread but still no luck.
07-25-2025 08:03 AM
FYI, We have just identified that this issue appears to be related to the internal logging and alerting process in the firewall rather than an actual fault with the firewall successfully accessing and updating the EDL from the cortex tenant. We noticed that while we are getting email alerts for the issue every hour, (which is how often the cortex EDLs are set to update) the system logs in the firewall do not show any further alerts for this issue since July 15th. We then created a new entry into the domain EBL in cortex as testbad.com, logged into the firewall, checked the EDL and then clicked import now and the new domain showed up in the list on the firewall.
TLDR; even though we continue to get email alerts regarding Cortex EDL Sources failing to authenticate due to self signed cert, the firewall is downloading them anyway.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
