This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

External dynamic list failing at refresh

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

External dynamic list failing at refresh

Go to solution
rperez-mz
L1 Bithead

‎06-07-2018 11:12 AM - edited ‎06-07-2018 11:14 AM

This should be simple, but i have been at it for much too long and support hasnt been able to figure it out. Hoping someone here has had this issue.

 

I have a simple EDL to allow (type IP) the source is https and it's a txt file on a bitbucket repo.

I have added the certs (root and intermediate) directly from the CA that signed them (well known CA, not internal). the root had the box checked "trusted root ca cert"

I have created a cert profile with the certs

When I go to refresh I see the refresh job fail with the follwing:

 

 EDLRefresh job failed. Cert validation failed

EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: TEST-EDL-IP, EDL Source URL: https://blah.blah.blah.txt, CN: *.blah.com, Reason: self signed certificate in certificate chain

 

I have tried it on 3 different firewalls and all fail in the same way. All are on panos 8. I have tried it with an http source (without a cert profile) and it works as it's supposed to, so at least I know the EDL object and rules, etc work. I think it might be a stupid simple thing that I am missing, but I can't figure it out. I have no hair. Thank you for your assistance

0 Likes Likes
5 REPLIES 5

Go to solution
rperez-mz
L1 Bithead
In response to BPry

‎06-12-2018 05:24 PM

Thank you @Anon1 and @BPry you were right. I thought I had the whole chain. I just got in touch with the issuer and asked for the root/issuing, etc certs and indeed they were completelty different. That resolved it.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks