07-27-2024 03:12 AM
Hi Friends,
One of our customer is facing issues in fetching the device certificate on a PA-410 device running on PAN OS 11.0.4-h2.
We are logging into the CLI of the firewall with Super User credentials and try to fetch the certificate with the below command
> request certificate fetch opt < >
It shows us invalid syntax error. From the GUI we could not see the get certificate option as well.
We have created a policy to allow paloalto-shared services but it didn’t help. Tried by restarting the management server as well but it didn’t help us.
As it is a PA-410 devices we could not able to see the traffic logs to see weather by any chance the traffic is getting blocked.
When we check the device certgen.log we could see the below error.
2024-07-23 16:13:19,013 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
2024-07-23 16:13:19,526 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
2024-07-23 16:15:12,498 device_certgen INFO Device certificate not found
2024-07-23 16:16:49,070 device_certgen INFO Device certificate not found
2024-07-23 16:22:04,924 device_certgen INFO Fetching device certificate
2024-07-23 16:22:56,968 device_certgen INFO Secret_key generated
2024-07-23 16:22:56,968 device_certgen INFO Generated pkey and CSR
2024-07-23 16:22:57,173 device_certgen INFO Source interface: 45.112.139.226
2024-07-23 16:22:57,805 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
2024-07-23 16:22:58,337 device_certgen ERROR Error: (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443 ')
Any help or suggestions on how to Proceed further.
Thanks and Regards
Monica Shree.
07-27-2024 10:39 PM - edited 07-31-2024 12:41 AM
Hello @Monicashree
For devices equipped with a TPM chipset (like PA-400 series), the CLI command is simply:
> request certificate fetch
This will create a job, and you can view the details using:
> show jobs id XX ---> replace XX with your actual job ID.
The command "show device-certificate status" allows you to verify the status of your device's certificate.
07-29-2024 08:39 PM
Hi @CosminM ,
The firewall is trying to fetch the certificate but it is getting failed with no error.
Regards
Monica Shree.
07-30-2024 08:58 AM
Hi @Monicashree ,
The error shows up under the "show jobs id <job-id>" command. Did you run the command as @CosminM explained? I have never seen it fail without an error, but this could be the 1st. On very rare occasions, I have seen the job stay in pending forever. That obviously shows no error but the fact that the job did not complete is the error.
Thanks,
Tom
07-31-2024 08:51 AM
Hi @Monicashree ,
Thank you for the screen shots! Well, that's disappointing that there is no error.
I apologize. You already provided the relevant error messages in your original post. It looks like your traffic is not connecting to the CSP. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBgsCAG&lang=en_US%E2%80%A...
This may be caused by not having a security policy rule as the article says or by a routing or other issue. Do you see the traffic from the NGFW to the CSP being allowed under Monitor > Logs > Traffic?
Thanks,
Tom
07-31-2024 09:00 AM
Hi @TomYoung ,
This is a PA-410 so i could not find the traffic logs and the firewall is not connected to Panorama as well so logs visibility is not there apart from that I have already added a policy for allowing paloalto-shared services and it is in TOP position. I have checked the service routes as well everything seems to be placed.
I changed the service route from management to data plane as well but didn't help me. I took Packet Captures from the data interface ip and to certificate.paloaltonetworks.com. Interestingly i got all the four drop ; firewall ; receive and transmit packets.
customer is yet to share them. In the mean time if you have any suggestions do let me know or else suggest me what two packets should i merge and check.
Thanks and Regards
Monica Shree
07-31-2024 09:14 AM
Hi @Monicashree ,
You are doing great! The next step is to check the packet captures.
It could be an MTU issue, but it is doubtful. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NlxCAE&lang=en_US%E2%80%A.... Does the traffic go through a VPN before going out to the Internet?
Thanks,
Tom
07-31-2024 12:35 PM
Hello @Monicashree
Can you please look into process log with command:
less mp-log device_certgen.log
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
