Decryption: Received fatal alert CertificateUnknown from client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption: Received fatal alert CertificateUnknown from client

L2 Linker

Hi Folks, 

 

I'm seeing some instances of "Received fatal alert CertificateUnknown from client" errors in the decryption log when the root\issuer certs are clearly in the FW's cert store. Attached are screenshots of the error and the FW's cert store. Any ideas on what could be going wrong here?

I'm seeing this on PAN OS 11.0.2-h3 & 10.2.7-h3.

 

Thanks for your thoughts!

 

8 REPLIES 8

L3 Networker

Hi  LCMember40912,

 

The GP certificate which you are using is missing it's root certificate.

This is the reason you are getting the error as the Client/Server it not able to trust the certificate.

As a Workaround please find the below methods.

 

Please try to import the entire certificate chain given by GoDaddy into the firewall and then Try to add the Root Certificate in the GP Portal and Change the SSL/TLS version max to 1.2.

 

This should help you in resolving the issue.

 

Regards

Satya Kalyan

L3 Networker

@LCMember40912 

 

Are you configuring SSL inbound decryption in the firewall

Hi Satya, you are quite correct. When I exported and opened the original cert in the screenshot, it was in fact only an intermediate cert. I was able to download the root and install it. Thanks for setting me straight! 🙂

Ian

Hi Satyak,

 

Regrettably, as I go over the decryption logs again today, I'm still seeing instances of my original issue. For example, here's the error in the decryption log (I should note that the source IP address from this entry is assigned to one of our corporate laptops, and thus trusts the forward-trust certificate):

 

error.png

If I go to the indicated URL (http://r3.iencr.org/) and download the certificate, and take a look at the certification path, I see this:

 

path.png

If I take a look in the FW's certificate store, I see this:

 

cert store.png

 

So given these facts, how is it still possible to generate the 'CertificateUnknown' error? Thanks for your thoughts! Just to clarify, this is forward proxy decryption, and not GP or inbound...

Is this running from an application on the clients machine or are they just web-browsing to this place? Generally in my experience client cert errors are most often a result of the application doing certificate pinning thus causing ssl inspection to stop this connection. 

L2 Linker

"Is this running from an application on the clients machine or are they just web-browsing to this place?"

 

You know, that's a good question. I don't really know anything apart from what I see in the decryp logs. Just trying to be proactive so people don't write helpdesk messages saying they can't get to this or that site... Is there a way to tell?

L1 Bithead

FYI - Instructions on how to repair incomplete certificate chains:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decry... 

L0 Member

I've had very similar issues.
If you trace it back to a corporate laptop, would it be possible that a Chromium based browser is used?

Been issues where legitimate traffic doesn't work as intended if SSL decrypt is being used due to this:
https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
https://tldr.fail/

PAN have a bug fix being pushed PAN-247099

  • 10127 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!