This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

EDL - unable to get local issuer certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

EDL - unable to get local issuer certificate

Go to solution
orbcomm
L2 Linker

‎05-02-2023 11:56 AM

Hi,

Having issues with EDL and certificates.  Followed the best practices, and believe everything is set properly.

 

running pa-8xx clusters running 10.1.9h3, all have the same issue

 

opendbl.net cert chain is imported and set both root and intermediate in the cert profile. opendbl EDL created, cert profile attached and outbound policy applied.

 

Anyone run into the following errors?   Thanks for any advice.

 

Example from system monitor logs:

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: Blocklist.de All, EDL Source URL: https://opendbl.net/lists/blocklistde-all.list, CN: opendbl.net, Reason: unable to get local issuer certificate

EDL(Blocklist.de All) No changes to authentication status, still failing.

4 people had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎05-04-2023 02:53 PM

Hello,

I would say bypass decryption for those url's.

Regards,

View solution in original post

9 REPLIES 9

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎05-04-2023 02:53 PM

Hello,

I would say bypass decryption for those url's.

Regards,

Go to solution
orbcomm
L2 Linker
In response to OtakarKlier

‎05-05-2023 07:13 AM

Hi,

Thanks, tested and works without using cert.  Couldn't find a solution that works with cert, so will just continue using http only.

 

Regards

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎06-30-2023 10:24 AM - edited ‎11-15-2023 12:36 PM

Hi @orbcomm ,

 

I opened a TAC case on this issue, and the certificate is working with 10.2.4-h2.  I have seen this issue come and go with different versions.  I think it is a bug that is not listed.

 

If I don't use a certificate profile for the EDL, I get commit warnings.  I use Panorama to push my configs, and I want to see "commit succeeded" for all my NGFWs.  If I get "commit succeeded with warnings" then I have to drill down into every NGFW.  Bottom line:  I get rid of all my commit warnings.  Besides, a certificate profile is more secure.

 

Thanks,

 

Tom

 

PS It was not working in 10.1.9-h3.

Help the community: Like helpful comments and mark solutions.
(1)

Go to solution
orbcomm
L2 Linker
In response to TomYoung

‎06-30-2023 10:37 AM - edited ‎06-30-2023 10:37 AM

Hi @TomYoung,

Thanks for the heads up.  I see 10.1.10 was just recently released, will try that, if not working will think about upgrading to 10.2 release.  Would like to be on the secure side as well.

 

Regards

 

 

0 Likes Likes

Go to solution
szaidi110
L1 Bithead

‎11-15-2023 03:08 AM

I have run into the same weird problem, we are running variants of OS 10.1.9 and can't figure out what the issue is. Interestingly, this was working on the current OS not too long ago and only stopped working after we had to update the certificate chain (EDL URL updated their certificates).

 

TAC hasn't been able to help at all so I am thinking about upgrading to the current preferred release which is 10.1.10-h2 for our base version.


0 Likes Likes

Go to solution
orbcomm
L2 Linker

‎11-15-2023 11:53 AM

Hi @szaidi110 I continue to use non-ssl, I have upgraded to 10.2.6 on firewalls with EDL, and planning to test ssl again, just haven't had a change window yet.   If you can, non-ssl works until upgrade test.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎11-15-2023 12:37 PM

Hi @orbcomm ,

 

Mine continues to work fine on 10.2.4-h2 and 10.2.5.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
orbcomm
L2 Linker

‎11-15-2023 12:42 PM

Excellent, thanks for the feedback @TomYoung 

0 Likes Likes

Go to solution
szaidi110
L1 Bithead

‎11-22-2023 06:54 AM

InfoSec would raise a flag if I bypass the cert authentication so that isn't really a choice. I guess I'll just update my firewalls to 10.2.X and see how it goes

0 Likes Likes
  • 1 accepted solution
  • 4171 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks