Peer certificate chain building failed due to unable to get local issuer certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Peer certificate chain building failed due to unable to get local issuer certificate

L0 Member

Hello,

 

This is my first post here as I am a new customer of PaloAlto, but not new to networking. I have extensive Cisco background.

 

We are having an odd problem when trying to create an IKEv1 s2s tunnel between a remote PA220 and Cisco ASA 5525X headend. The PA outside interface has a dynamic address.

 

We have worked on this issue for days now and even opened a case with PA Support.

 

We are getting this error on the PA side:

IKE phase-1 negotiation is failed. Peer certificate chain building failed due to unable to get local issuer certificate

 

In the logs obtained in the CLI, we are seeing this information:

2020-04-23 09:28:06.066 -0400  [PERR]: Trusted CA not found for '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' because of subject issuer mismatch.

2020-04-23 09:28:06.066 -0400  [PERR]: Peer certificate chain building failed due to unable to get local issuer certificate.

 

I have verified that the certificate chain for the public cert being used on the Cisco ASA headend is intact and complete.

 

Any ideas??? We have scoured the internet for solution/clues on both sides, Cisco and PA, to no avail.

 

Thanks in advance.

 

John

9 REPLIES 9

L0 Member

John,

 

I'm in a similar position.  I will be following this thread closely.  Thanks for posting.

Cyber Elite
Cyber Elite

Did you ever find the answer to this issue?  Typically the error "unable to get local issuer certificate" means that the CA used to issue your peer certificate is not in your certificate profile (configured under your IKE Gateway).  The certificate profile must contain the entire CA certificate chain regardless of what is in the Default Trusted Certificate Authorities.

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hello,

I'm in similar situation, but mine is more weird. I have PA820 at HQ and two PA410 at remote offices. Both PA410 have almost identical configuration (only IP addresses are different). I'm trying to build IPSec tunnels from HQ to remote offices. One of them works as expected. The other gives me the error in the topic of this thread. The weird thing is that the same CA (internally generated at PA820) issued certificates to both remote offices, but only one of them works while the other doesn't. I checked hundred times and I'm sure the configuration is identical, the "local issuer certificate" is the same for both IKE gateways. I can't understand how is it possible that one remote site works without problems while the other fails to get that local issuer certificate ?!?

Cyber Elite
Cyber Elite

Hi @GeorgeAPH ,

 

Is your PAN-OS the same on both NGFWs?  I ran into this error with a certificate profile for an EDL.  An upgrade to 10.2.4 fixed the issue.  It turned out to be a bug in the code.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi, @TomYoung,

 

Yes, both my satellite firewalls (working and non-working) are one and the same 11.x.x version.

The hub however is on 10.x.x. Thanks for the suggestion, I'll try to see what an upgrade would do for me.

L0 Member

Hi guys:)

Do you have some updates about this problem?

Hi TomYoung,

I have a customer facing same issue with EDL certificate, I saw you post here as well 

https://live.paloaltonetworks.com/t5/next-generation-firewall/edl-unable-to-get-local-issuer-certifi...

 

The customer is not willing to upgrade without knowing the bug ID, do you have it?

 

Thank you in advance.

Best regards

Angelo Oghittu

Hi @AngeloOghittu ,

 

TAC would not give me a bug ID.  I would send the customer this link -> and encourage they upgrade to the recommended version.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung ,

thank you for your reply. The problem is that the customer is not willing to upgrade to the recommended version due to another bug and 

because need to know the issue ID.

I think I should contact the TAC at this point.

 

Br

Angelo

  • 9784 Views
  • 9 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!