Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global Protect config problem: The server certificate is invalid.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect config problem: The server certificate is invalid.

L2 Linker

Hi,

In lab i am trying to setup a simple global protect configuration where the gateway and portal are on the same IP and just using local user authentication.  I have a certificate for my my public IP from let's ecnrypt and  have imported this into palo alto.

I am able to connect to the portal without any certificate issues.  But when connecting through the gateway i am getting the server certficate is invalid.

 

My config looks like this:

 

Portal config:

 

GPP-Portal {
portal-config {
client-auth {
GPP-AUTH {
os Any;
authentication-profile "Local-Database Authentication";
authentication-message "Enter login credentials";
}
}
local-address {
interface loopback;
ip {
ipv4 10.1.1.1;
}
}
custom-login-page factory-default;
custom-home-page factory-default;
custom-help-page factory-default;
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
}
client-config {
configs {
AUTH-PORTAL {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
fw.relianet.be {
fqdn fw.relianet.be;
priority-rule {
Any {
priority 1;
}
}
manual yes;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os Windows;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
gp-app-config {
config {
connect-method {
value on-demand;
}
refresh-config-interval {
value 24;
}
agent-user-override {
value allowed;
}
client-upgrade {
value prompt;
}
use-sso {
value no;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 30;
}
retry-timeout {
value 5;
}
enforce-globalprotect {
value no;
}
captive-portal-exception-timeout {
value 0;
}
traffic-blocking-notification-delay {
value 15;
}
display-traffic-blocking-notification-msg {
value yes;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-heigh
t: 1.2em;">To access the network, you must first connect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
value yes;
}
display-captive-portal-detection-msg {
value no;
}
captive-portal-detection-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size
: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0
; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div>';
}
certificate-store-lookup {
value user-and-machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value yes;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value yes;
}
can-continue-if-portal-cert-invalid {
value yes;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value -1;
}
show-system-tray-notifications {
value no;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 5;
}
connect-timeout {
value 5;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
wsc-autodetect {
value yes;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value yes;
}
}
}
save-user-credentials 2;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
}
}
satellite-config {
client-certificate {
local;
}
}
}

 

GATEWAY:

 

GP-GATEWAY {
roles {
default {
login-lifetime {
days 30;
}
inactivity-logout {
hours 3;
}
disconnect-on-idle {
minutes 180;
}
}
}
client-auth {
GPG-CLIENT-AUTH {
authentication-profile "Local-Database Authentication";
os Any;
authentication-message "Enter login credentials";
}
}
remote-user-tunnel-configs {
GPG-Agent {
authentication-override {
generate-cookie no;
}
split-tunneling {
access-route 192.168.1.0/24;
exclude-access-route;
}
source-user any;
authentication-server-ip-pool;
ip-pool 192.168.250.0/24;
os any;
retrieve-framed-ip-address no;
no-direct-access-to-local-network no;
}
}
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
tunnel-mode yes;
remote-user-tunnel tunnel.3;
}

 

Anybody that can help me out with this.

 

 

10 REPLIES 10

Community Team Member

Hi @GOMEZZZ,

 

You might be running into the following issue :

 

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-Whe...

 

Hope this helps.

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kiwi,

 

It doesnet seem to be related to this issue.

 

Frederik.

 

L1 Bithead

If you have a certificate on your IP; instead of your hostname; you need to change the external gateway FQDN name to the IP and not use fw.relianet.be

 

 

So change this:

 

gateways {external {list {fw.relianet.be {fqdn fw.relianet.be;priority-rule {Any {priority 1;}}

To this:

 

gateways {external {list {fw.relianet.be {fqdn <your IP address>;priority-rule {Any {priority 1;}}

 

A-

Hi andy,

 

I have a certificate with subject and SAN set to fw.relianet.be

 

cert.PNG

 

I modified it as you suggest for testing but still have the same result:

 

gateways {
          external {
            list {
              fw.relianet.be {
                ip {
                  ipv4 81.83.18.57;
                }
                priority-rule {
                  Any {
                    priority 1;
                  }

 

If  you need any other output screenshots please let me know.

 

Tnx,

 

Frederik.

 

I would enable the debugger on the client, and see why it's not accepting your cerftificate, it will tell you exactly what is wrong.

 

If you right click on your client, you can choose "Collect Logs", open that zipfile and open PanGPS.log.

 

Look for anything related to SSL:

 

(T21656) 03/12/18 15:19:20:667 Debug( 322): Open_SSL_connection: subject '/C=US/ST=West Virginia/L=Charleston/O=xxxxxxxxx (US) Inc./OU=IS/CN=*.xxxxxxx.com'
(T21656) 03/12/18 15:19:20:667 Debug( 326): Open_SSL_connection: issuer '/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA'
(T21656) 03/12/18 15:19:20:667 Debug(1006): Name vpn.xxxxxxxxx.com matches pattern *.xxxxxxx.com
(T21656) 03/12/18 15:19:20:667 Debug( 923): Cert name check of *.xxxxxxx.com succeeded

6:39:52:897 Debug( 545): Failed to connect to 81.83.18.57 on 443 with return error -1 and socket error 0(The operation completed successfully.)
(T5540) 03/15/18 16:39:52:897 Debug( 697): do_tcp_connect() failed
(T5540) 03/15/18 16:39:52:897 Error(7700): ConnectSSL: Failed to connect to '81.83.18.57:443'. Disconnect ssl.
(T5540) 03/15/18 16:39:52:897 Debug(7711): Cannot get server cert of 81.83.18.57
(T5540) 03/15/18 16:39:52:897 Debug(5145): Already tried both ipv4 and ipv6 for gateway fw.relianet.be
(T5540) 03/15/18 16:39:52:897 Error(2845): Failed to verify server certificate of gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(4576): Show Gateway fw.relianet.be: The server certificate is invalid. Please contact your IT administrator.
(T5540) 03/15/18 16:39:52:897 Info (2148): Failed to retrieve info for gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(2155): tunnel to fw.relianet.be is not created.
(T5540) 03/15/18 16:39:52:897 Error(3876): NetworkDiscoverThread: failed to discover external network.
(T5540) 03/15/18 16:39:52:897 Debug(4733): --Set state to Disconnected

 

I also remove the global protect client and clear the folders in C:\Users\username\appddata\local\Palo alto\...

Everytime i change something.

 

Was this ever resolved? - I see the exact type errors in my log and its not clear where to go from here.

@GOMEZZZ ,

 

Please check the following.

- Try with a different version of GP.

- It can happen if you have external root CA. Please try to install a client certificate issued by your domain server(Root CA).
Also make sure two things below.
- Add Root CA, PAN Forward Trust certificate in CA certificates under Certificate Profile
- Add Root CA, PAN Forward Trust certificate in Trusted Root CA under GP portal config.

Hello Team,

I am having the below issue and I do enter my  "Local Credentials" but nothing happens. Please help me.

 

invalid http response. return error(Credential authentication failed; Retry authentication). - 04/24/2020 21:42:09  (enter credentials)

 

Thank you,

Mohammad Rahman

L2 Linker

hey @GOMEZZZ 

 

I know it's been a while since you'v made this post, but I hope this message finds you well.

 

Based on the PanGPS logs you've previously posted, the Agent is unable to verify the server certificate used for the Gateway SSL/TLS profile. 

 

Common issues for this would include CN mismatch, as mentioned before by other community members, and incorrect certificate deployment: eg the Agent is unable to follow the full chain. A quick way to test this is using your local browser to connect and reviewing the output messages.

 

Could you please confirm the following:

 

1. The root (and intermediate if applicable) CA(s) used to sign the imported Portal/Gateway certificate are deployed in the correct directories on the endpoint

2. The server certificate used for the Portal/Gateway has the correct CN (and SAN if applicable) attribute

 

I've included documentation discussing the certificate deployment options for GlobalProtect below for your reference also.

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/get-started/enable-ssl-betwe...

 

 

-Cheers

-Cheers
  • 49927 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!