Global Protect config problem: The server certificate is invalid.

Reply
Highlighted
L2 Linker

Global Protect config problem: The server certificate is invalid.

Hi,

In lab i am trying to setup a simple global protect configuration where the gateway and portal are on the same IP and just using local user authentication.  I have a certificate for my my public IP from let's ecnrypt and  have imported this into palo alto.

I am able to connect to the portal without any certificate issues.  But when connecting through the gateway i am getting the server certficate is invalid.

 

My config looks like this:

 

Portal config:

 

GPP-Portal {
portal-config {
client-auth {
GPP-AUTH {
os Any;
authentication-profile "Local-Database Authentication";
authentication-message "Enter login credentials";
}
}
local-address {
interface loopback;
ip {
ipv4 10.1.1.1;
}
}
custom-login-page factory-default;
custom-home-page factory-default;
custom-help-page factory-default;
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
}
client-config {
configs {
AUTH-PORTAL {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
fw.relianet.be {
fqdn fw.relianet.be;
priority-rule {
Any {
priority 1;
}
}
manual yes;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os Windows;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
gp-app-config {
config {
connect-method {
value on-demand;
}
refresh-config-interval {
value 24;
}
agent-user-override {
value allowed;
}
client-upgrade {
value prompt;
}
use-sso {
value no;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 30;
}
retry-timeout {
value 5;
}
enforce-globalprotect {
value no;
}
captive-portal-exception-timeout {
value 0;
}
traffic-blocking-notification-delay {
value 15;
}
display-traffic-blocking-notification-msg {
value yes;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-heigh
t: 1.2em;">To access the network, you must first connect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
value yes;
}
display-captive-portal-detection-msg {
value no;
}
captive-portal-detection-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size
: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0
; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div>';
}
certificate-store-lookup {
value user-and-machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value yes;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value yes;
}
can-continue-if-portal-cert-invalid {
value yes;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value -1;
}
show-system-tray-notifications {
value no;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 5;
}
connect-timeout {
value 5;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
wsc-autodetect {
value yes;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value yes;
}
}
}
save-user-credentials 2;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
}
}
satellite-config {
client-certificate {
local;
}
}
}

 

GATEWAY:

 

GP-GATEWAY {
roles {
default {
login-lifetime {
days 30;
}
inactivity-logout {
hours 3;
}
disconnect-on-idle {
minutes 180;
}
}
}
client-auth {
GPG-CLIENT-AUTH {
authentication-profile "Local-Database Authentication";
os Any;
authentication-message "Enter login credentials";
}
}
remote-user-tunnel-configs {
GPG-Agent {
authentication-override {
generate-cookie no;
}
split-tunneling {
access-route 192.168.1.0/24;
exclude-access-route;
}
source-user any;
authentication-server-ip-pool;
ip-pool 192.168.250.0/24;
os any;
retrieve-framed-ip-address no;
no-direct-access-to-local-network no;
}
}
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
tunnel-mode yes;
remote-user-tunnel tunnel.3;
}

 

Anybody that can help me out with this.

 

 

Highlighted
Community Team Member

Re: Global Protect config problem: The server certificate is invalid.

Hi @FDEMUYTER,

 

You might be running into the following issue :

 

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-Whe...

 

Hope this helps.

Cheers !

-Kiwi.

Highlighted
L2 Linker

Re: Global Protect config problem: The server certificate is invalid.

Hi Kiwi,

 

It doesnet seem to be related to this issue.

 

Frederik.

 

Highlighted
L1 Bithead

Re: Global Protect config problem: The server certificate is invalid.

If you have a certificate on your IP; instead of your hostname; you need to change the external gateway FQDN name to the IP and not use fw.relianet.be

 

 

So change this:

 

gateways {external {list {fw.relianet.be {fqdn fw.relianet.be;priority-rule {Any {priority 1;}}

To this:

 

gateways {external {list {fw.relianet.be {fqdn <your IP address>;priority-rule {Any {priority 1;}}

 

A-

Highlighted
L2 Linker

Re: Global Protect config problem: The server certificate is invalid.

Hi andy,

 

I have a certificate with subject and SAN set to fw.relianet.be

 

cert.PNG

 

I modified it as you suggest for testing but still have the same result:

 

gateways {
          external {
            list {
              fw.relianet.be {
                ip {
                  ipv4 81.83.18.57;
                }
                priority-rule {
                  Any {
                    priority 1;
                  }

 

If  you need any other output screenshots please let me know.

 

Tnx,

 

Frederik.

 

Highlighted
L1 Bithead

Re: Global Protect config problem: The server certificate is invalid.

I would enable the debugger on the client, and see why it's not accepting your cerftificate, it will tell you exactly what is wrong.

 

If you right click on your client, you can choose "Collect Logs", open that zipfile and open PanGPS.log.

 

Look for anything related to SSL:

 

(T21656) 03/12/18 15:19:20:667 Debug( 322): Open_SSL_connection: subject '/C=US/ST=West Virginia/L=Charleston/O=xxxxxxxxx (US) Inc./OU=IS/CN=*.xxxxxxx.com'
(T21656) 03/12/18 15:19:20:667 Debug( 326): Open_SSL_connection: issuer '/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA'
(T21656) 03/12/18 15:19:20:667 Debug(1006): Name vpn.xxxxxxxxx.com matches pattern *.xxxxxxx.com
(T21656) 03/12/18 15:19:20:667 Debug( 923): Cert name check of *.xxxxxxx.com succeeded
Highlighted
L2 Linker

Re: Global Protect config problem: The server certificate is invalid.

6:39:52:897 Debug( 545): Failed to connect to 81.83.18.57 on 443 with return error -1 and socket error 0(The operation completed successfully.)
(T5540) 03/15/18 16:39:52:897 Debug( 697): do_tcp_connect() failed
(T5540) 03/15/18 16:39:52:897 Error(7700): ConnectSSL: Failed to connect to '81.83.18.57:443'. Disconnect ssl.
(T5540) 03/15/18 16:39:52:897 Debug(7711): Cannot get server cert of 81.83.18.57
(T5540) 03/15/18 16:39:52:897 Debug(5145): Already tried both ipv4 and ipv6 for gateway fw.relianet.be
(T5540) 03/15/18 16:39:52:897 Error(2845): Failed to verify server certificate of gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(4576): Show Gateway fw.relianet.be: The server certificate is invalid. Please contact your IT administrator.
(T5540) 03/15/18 16:39:52:897 Info (2148): Failed to retrieve info for gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(2155): tunnel to fw.relianet.be is not created.
(T5540) 03/15/18 16:39:52:897 Error(3876): NetworkDiscoverThread: failed to discover external network.
(T5540) 03/15/18 16:39:52:897 Debug(4733): --Set state to Disconnected

 

I also remove the global protect client and clear the folders in C:\Users\username\appddata\local\Palo alto\...

Everytime i change something.

 

Highlighted
L0 Member

Re: Global Protect config problem: The server certificate is invalid.

Was this ever resolved? - I see the exact type errors in my log and its not clear where to go from here.

Highlighted
L4 Transporter

Re: Global Protect config problem: The server certificate is invalid.

@FDEMUYTER ,

 

Please check the following.

- Try with a different version of GP.

- It can happen if you have external root CA. Please try to install a client certificate issued by your domain server(Root CA).
Also make sure two things below.
- Add Root CA, PAN Forward Trust certificate in CA certificates under Certificate Profile
- Add Root CA, PAN Forward Trust certificate in Trusted Root CA under GP portal config.

Highlighted
L0 Member

Invalid http response

Hello Team,

I am having the below issue and I do enter my  "Local Credentials" but nothing happens. Please help me.

 

invalid http response. return error(Credential authentication failed; Retry authentication). - 04/24/2020 21:42:09  (enter credentials)

 

Thank you,

Mohammad Rahman

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!