- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- 5G
- IoT Security
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Failed to renew device certificate
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Failed to renew device certificate
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-17-2021 04:37 AM
Hi
the device certificate is going to expire end of march.
My PA trys to renew it and comes up with the following error:
Failed to renew device certificate.Failed to send request to CSP server.Error: No OCSP response received(dest => 35.238.43.180)
I have no telemetry enabled.
Just activated the certificate with OTP on 2020/12/29 after upgrading to PanOS 9.1.7.
Now it´s the first try of my PA to renew it.
The only thing i found relates to PanOS 9.1.8 wich seems to fix another error with device certificate:
Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP):
Any ideas where to look for?
TIA
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-17-2021 07:38 AM
Have you checked your conectivity to certificate.paloaltonetworks.com?
I've just installed a new certificate for a Panorama, worked ok.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-17-2021 07:46 AM - edited 03-17-2021 08:04 AM
Last traffic to ( url eq 'certificate.paloaltonetworks.com' ) was on 12/29 when the certificate was installed the first time.
No block / deny or other traffic to this url or ip since then.
Seems the PA ist trying to connect to 35.238.43.180 and there is no deny for it.
The mgmt interface has an allow rule but the renew is not working.
This was the traffic from the last 2 days to https://certificatetrusted.paloaltonetworks.com/
The Root CA Palo Alto Networks Inc.-Root-CA G1 that signed the cert for certificatetrusted.paloaltonetworks.com
is not trusted if you browse to the url. But that should not be the problem.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-18-2021 03:12 AM
I have exactly same problem on many devices in different configurations. Nothing is blocked, DNS resolves OK.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-18-2021 04:15 AM
Today i requested a new OTP and choose to Get Certificate on the PA which revokes the actual cert and requests a new one.
The new Cert request finished without problems.
Now i wait til 16-06 to see if the next renew will work automatically or if the problem comes up again.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-18-2021 05:26 AM
same problem here, i also renew the certificates using one-time password.
- client certificate authentication fails even though machine has certificate. in General Topics
- panos 10.0.5 can't commit firewall changes in General Topics
- User management with Client certificates not working in GlobalProtect Discussions
- Intermittent 403 - Failed Connection Errors in Ansible Playbook in Automation/API Discussions
- PAN-OS 10.0.5 is out: Issues upgrading Panorama in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
