Web interface connection refused probably due to expired certificate.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Web interface connection refused probably due to expired certificate.

L3 Networker

Hey,

 

The subject says it all...  

 

This is a VM-100 with latest updates.

 

I can log in to CLI and I wonder how can I list all certificates, identify the expired cert and if possible renew it, all through CLI.

 

Thanks for any comments and a list of my options in this situation 🙂

 

best regards Tor

1 accepted solution

Accepted Solutions

Hi Tor,

 

The article you sent actually mentions about the absence of a certificate entirely - rather than an expired one.

 

As per the article's recommendations, have you tried to assign the primary certificate from you chain to the webserver?

 

> configure
# set deviceconfig system web-server-certificate <certname>
# commit
# exit

 

Regarding this error, I have not seen this before and the steps you took to renew the self signed-CA via CLI command are correct. If trying the above is unsuccessful, could you give the management server a reboot? (debug software restart process management-server) What Pan-OS version are you running also?

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@LCMember4427,

Pull the running configuration from the CLI, identify the cert in question and update it directly through the CLI and push it back to the box, load it and commit. 

FYI, an expired cert shouldn't block you from accessing the web interface; you should be able to bypass the warning and still access the GUI. 

Hi,

 

Thanks for the advice.  I got the config and found the properties of the expired certificate, see below.

 

There are a total of 6 certificate entries (but only this is expired).  Does it exist an how-to to renew or create a new cert?   Thanks for comments on how I can proceed further by the CLI...

 

regards Tor

 

 

CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
</public-key>
        <algorithm>RSA</algorithm>
      </entry>
      <entry name="MyCompanys CA 2017">
        <subject-hash>c16a5de3</subject-hash>
        <issuer-hash>94d7a06a</issuer-hash>
        <not-valid-before>Jan 26 20:02:51 2017 GMT</not-valid-before>
        <issuer>/C=NO/ST=Some-State/O=MyCompany VGS</issuer>
        <not-valid-after>Jun 10 20:02:51 2018 GMT</not-valid-after>
        <common-name>172.23.10.2</common-name>
        <expiry-epoch>1528660971</expiry-epoch>
        <ca>no</ca>
        <subject>/C=NO/ST=Some-State/O=MyCompany VGS/OU=Firewall/CN=172.23.10.2</subject>
        <public-key>-----BEGIN CERTIFICATE-----
MIIDFjCCAf4CCQCYA5DXj+1MWDANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJO

 

 

Hi,

 

From the CLI:

> request certificate renew days-till-expiry <days> certificate-name <certname>

 

> request certificate generate
+ ca                   Make this a signing certificate
+ country-code         Country code
+ days-till-expiry     Number of days till expiry
+ digest               Digest Algorithm
+ email                Email address of the contact person
+ filename             file name for the certificate
+ locality             Locality
+ ocsp-responder-url   ocsp-responder-url
+ organization         Organization
+ signed-by            signed-by
+ state                State/province
* algorithm            algorithm
* certificate-name     Name of the certificate object
* name                 IP or FQDN to appear on the certificate
> alt-email            Subject alternate Email type
> hostname             Subject alternate name DNS type
> ip                   Subject alternate name IP type
> organization-unit    Department


Seconding what @BPry has said - you should still be able to login to the webUI -even with an expired cert.

 

Thanks,

Luke.

 

 

 

Hi again,

 

Thanks for all help.  I see your last comment both of you, however our webinterface ceased to respond at the day the CA cert expired and I read about it here:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Unable-to-Access-Web-Console-via-HTTP-or-HT...

 

If you have other suggestions as to why our webinterface ceased to respond, I'm of course open to any help or troubleshooting tips.

 

Anyway, I tried to renew our current CA cert by this command:

VM-100> request certificate renew days-till-expiry 400 certificate-name "MyCompany CA 2017"
.. but got this error:
Server error : Failed to determine the issuer of certificate

 

This is a self signed cert, so which parameters do I apply to make it content ?

 

Thanks again 🙂

 

best regards Tor

Hi Tor,

 

The article you sent actually mentions about the absence of a certificate entirely - rather than an expired one.

 

As per the article's recommendations, have you tried to assign the primary certificate from you chain to the webserver?

 

> configure
# set deviceconfig system web-server-certificate <certname>
# commit
# exit

 

Regarding this error, I have not seen this before and the steps you took to renew the self signed-CA via CLI command are correct. If trying the above is unsuccessful, could you give the management server a reboot? (debug software restart process management-server) What Pan-OS version are you running also?

Hi again,

 

Thanks a lot!  The restarting of the management plane did the trick.  After that we were able to relogin to the webinterface and I created a new cert and now all is well. 

 

The 'disconnection' occurred at about same time as the https cert expired.  I'm on version 8.1.1.  Is it possible that the cert expiration caused the management plane to 'hang' so web interface access was disabled..?

 

Anyway, I'm just glad to be up and running again.  Thanks again 🙂

 

Tor

  • 1 accepted solution
  • 12381 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!