all of a sudden at the beginning of this week, our Global protect clietns have been failing with "valid certificate client is required"
the environment is set for machine cert auth (windows adcs)
now, to get around this issue we have turned off CRL in the certificate profile, but still at a loss
tried the latsst version of gp client
ps. its the same result on all our firewalls, until we turn off CRL
the only thing that might stick, is our issuing ca was patched, then our issues started a few days later.
the best log ive found so far is "a certificate chain could not be built to a trusted root auth"
but our chain is valid,
any ideas what else to do?
Hi @noobynetwork ,
"the only thing that might stick, is our issuing ca was patched, then our issues started a few days later."
Was your CA renewed around the server patching?
"now, to get around this issue we have turned off CRL in the certificate profile, but still at a loss"
"ps. its the same result on all our firewalls, until we turn off CRL"
I am confused does it work after you disable CRL or still not?
The error message you receive speak for itself - you firewall is not trusting the machine certificate that your user are providing during authentication. However there are couple of reasons this could happen:
- Machine certificate has expired and it was not renewed automatically. On one of the affected machine check the certificate store and see if the machine certificate that should be used for GP is valid (not expired)
- Certificate Profile on GP portal/gateway not listing correct CAs. If machine certificate is signed by CA that is not in the Cert profile used by the GP portal/gateway, GP client wouldn't know which client cert to use and wouldn't provide any. Check one of the affected client certs and confirm that the issuing CA is in the cert profile
- CA certificate was renewed. If you have renewed your CA recently, some of the machines may already have enrolled client certs from the new CA, while some are still cert issued from the old CA. The old and the new CA may have exact same CN, but they are different. In this case you will need to import both CAs to the firewall and use them in the cert profile.
- RL endpoints listed in the certificate profile are not reachable. You can check this KB, not exactly the same issues, but could give you directions how to confirm if CRL is not reachable https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMSlCAM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!