This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Failed to renew device certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failed to renew device certificate

kbe
L3 Networker

‎03-17-2021 04:37 AM

Hi

 

the device certificate is going to expire end of march.

My PA trys to renew it and comes up with the following error:

Failed to renew device certificate.Failed to send request to CSP server.Error: No OCSP response received(dest => 35.238.43.180)

 

I have no telemetry enabled.

Just activated the certificate with OTP on 2020/12/29 after upgrading to PanOS 9.1.7.

 

Now it´s the first try of my PA to renew it.

 

The only thing i found relates to PanOS 9.1.8 wich seems to fix another error with device certificate:

Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP): 

invalid ocsp response sig-alg

 

Any ideas where to look for?

 

TIA

0 Likes Likes
15 REPLIES 15

LGCoelho
L0 Member

‎03-17-2021 07:38 AM

Have you checked your conectivity to certificate.paloaltonetworks.com?

I've just installed a new certificate for a Panorama, worked ok.

0 Likes Likes

kbe
L3 Networker
In response to LGCoelho

‎03-17-2021 07:46 AM - edited ‎03-17-2021 08:04 AM

Last traffic to ( url eq 'certificate.paloaltonetworks.com' ) was on 12/29 when the certificate was installed the first time.

No block / deny or other traffic to this url or ip since then.

 

Seems the PA ist trying to connect to 35.238.43.180 and there is no deny for it.

The mgmt interface has an allow rule but the renew is not working.

This was the traffic from the last 2 days to https://certificatetrusted.paloaltonetworks.com/

 

kbe_0-1615993074517.png

 

The Root CA Palo Alto Networks Inc.-Root-CA G1 that signed the cert for certificatetrusted.paloaltonetworks.com

is not trusted if you browse to the url. But that should not be the problem.

 

0 Likes Likes

JureKosmrlj
L1 Bithead
In response to kbe

‎03-18-2021 03:12 AM

I have exactly same problem on many devices in different configurations. Nothing is blocked, DNS resolves OK.

0 Likes Likes

kbe
L3 Networker
In response to kbe

‎03-18-2021 04:15 AM

Today i requested a new OTP and choose to Get Certificate on the PA which revokes the actual cert and requests a new one.

The new Cert request finished without problems.

Now i wait til 16-06 to see if the next renew will work automatically or if the problem comes up again.

0 Likes Likes

Administrator.Klina
L1 Bithead

‎03-18-2021 05:26 AM

same problem here, i also renew the certificates using one-time password.

 

0 Likes Likes

Housing1
L1 Bithead

‎01-02-2022 08:37 AM

allow app 'paloalto-shared-services' to mgmt console rule, your most likely getting blocked. I was

Jaysta
L0 Member
In response to Housing1

‎02-16-2022 06:25 AM

Thanks, this is what helped me with getting the device cert installed on a couple of new firewalls.

0 Likes Likes

Jason_Lieberman
L2 Linker
In response to Administrator.Klina

‎09-21-2022 11:44 AM

My cert expires in 31 days and I see no way to renew it.  I don't have a way to track the firewalls attempts since this happens via the mgmt interface.  All I see is the graphic below and it doesn't look like it's tried to connect to the server since the cert was issued.  

 

How do I renew it?

 

Jason_Lieberman_0-1663785812418.png

 

PCNSE, PCNSC, CyberForce
0 Likes Likes

kbe
L3 Networker
In response to Jason_Lieberman

‎10-13-2022 12:37 AM

The Palo normally fetches a new cert by itself before the other expires. There should be no need to get it manually under normal conditions.

I see a link with get certificate wich i used the last time (see my older posting from 2021-03-18).

 

kbe_0-1665646592424.png

 

0 Likes Likes

Jason_Lieberman
L2 Linker
In response to kbe

‎10-13-2022 07:58 AM

I have no such link.

 

Jason_Lieberman_0-1665673082896.png

 

PCNSE, PCNSC, CyberForce
0 Likes Likes

kiwi
Community Team Member

‎10-17-2022 03:12 AM

Hi @Jason_Lieberman ,

 

There's a way to fetch it using the CLI:

admin@PA-LAB> request certificate fetch otp <value>

 

replace <value> with the OTP generated on the support portal.

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
(1)

Jason_Lieberman
L2 Linker
In response to kiwi

‎10-17-2022 06:30 AM

While the 'request certificate fetch otp' is not a valid command on my 440.  'request certificate fetch' is.  When I ran that is managed to get a new cert.  I'm shocked!  It's been failing for a few weeks now and TAC is stumped as to why.

 

Thank you for that.

PCNSE, PCNSC, CyberForce
0 Likes Likes

niavasha
L1 Bithead
In response to Jason_Lieberman

‎11-10-2022 04:09 AM

Try the solution here on the 440 - it works luckily : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NlxCAE

0 Likes Likes

niavasha
L1 Bithead
In response to niavasha

‎11-10-2022 04:11 AM

Then ssh in and try simply:

 request certificate fetch

 

(1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks