02-16-2024 11:24 AM
Hi Folks,
I'm seeing some instances of "Received fatal alert CertificateUnknown from client" errors in the decryption log when the root\issuer certs are clearly in the FW's cert store. Attached are screenshots of the error and the FW's cert store. Any ideas on what could be going wrong here?
I'm seeing this on PAN OS 11.0.2-h3 & 10.2.7-h3.
Thanks for your thoughts!
02-24-2024 12:20 AM
Hi LCMember40912,
The GP certificate which you are using is missing it's root certificate.
This is the reason you are getting the error as the Client/Server it not able to trust the certificate.
As a Workaround please find the below methods.
Please try to import the entire certificate chain given by GoDaddy into the firewall and then Try to add the Root Certificate in the GP Portal and Change the SSL/TLS version max to 1.2.
This should help you in resolving the issue.
Regards
Satya Kalyan
02-26-2024 08:52 AM
Hi Satya, you are quite correct. When I exported and opened the original cert in the screenshot, it was in fact only an intermediate cert. I was able to download the root and install it. Thanks for setting me straight! 🙂
Ian
02-27-2024 09:16 AM
Hi Satyak,
Regrettably, as I go over the decryption logs again today, I'm still seeing instances of my original issue. For example, here's the error in the decryption log (I should note that the source IP address from this entry is assigned to one of our corporate laptops, and thus trusts the forward-trust certificate):
If I go to the indicated URL (http://r3.iencr.org/) and download the certificate, and take a look at the certification path, I see this:
If I take a look in the FW's certificate store, I see this:
So given these facts, how is it still possible to generate the 'CertificateUnknown' error? Thanks for your thoughts! Just to clarify, this is forward proxy decryption, and not GP or inbound...
02-27-2024 10:16 AM
Is this running from an application on the clients machine or are they just web-browsing to this place? Generally in my experience client cert errors are most often a result of the application doing certificate pinning thus causing ssl inspection to stop this connection.
02-27-2024 01:43 PM
"Is this running from an application on the clients machine or are they just web-browsing to this place?"
You know, that's a good question. I don't really know anything apart from what I see in the decryp logs. Just trying to be proactive so people don't write helpdesk messages saying they can't get to this or that site... Is there a way to tell?
08-19-2024 03:06 PM
FYI - Instructions on how to repair incomplete certificate chains:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decry...
08-26-2024 01:44 AM
I've had very similar issues.
If you trace it back to a corporate laptop, would it be possible that a Chromium based browser is used?
Been issues where legitimate traffic doesn't work as intended if SSL decrypt is being used due to this:
https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
https://tldr.fail/
PAN have a bug fix being pushed PAN-247099
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
