EDL - unable to get local issuer certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EDL - unable to get local issuer certificate

L2 Linker

Hi,

Having issues with EDL and certificates.  Followed the best practices, and believe everything is set properly.

 

running pa-8xx clusters running 10.1.9h3, all have the same issue

 

opendbl.net cert chain is imported and set both root and intermediate in the cert profile. opendbl EDL created, cert profile attached and outbound policy applied.

 

Anyone run into the following errors?   Thanks for any advice.

 

Example from system monitor logs:

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: Blocklist.de All, EDL Source URL: https://opendbl.net/lists/blocklistde-all.list, CN: opendbl.net, Reason: unable to get local issuer certificate

EDL(Blocklist.de All) No changes to authentication status, still failing.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

I would say bypass decryption for those url's.

Regards,

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello,

I would say bypass decryption for those url's.

Regards,

Hi,

Thanks, tested and works without using cert.  Couldn't find a solution that works with cert, so will just continue using http only.

 

Regards

Cyber Elite
Cyber Elite

Hi @orbcomm ,

 

I opened a TAC case on this issue, and the certificate is working with 10.2.4-h2.  I have seen this issue come and go with different versions.  I think it is a bug that is not listed.

 

If I don't use a certificate profile for the EDL, I get commit warnings.  I use Panorama to push my configs, and I want to see "commit succeeded" for all my NGFWs.  If I get "commit succeeded with warnings" then I have to drill down into every NGFW.  Bottom line:  I get rid of all my commit warnings.  Besides, a certificate profile is more secure.

 

Thanks,

 

Tom

 

PS It was not working in 10.1.9-h3.

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung,

Thanks for the heads up.  I see 10.1.10 was just recently released, will try that, if not working will think about upgrading to 10.2 release.  Would like to be on the secure side as well.

 

Regards

 

 

L1 Bithead

I have run into the same weird problem, we are running variants of OS 10.1.9 and can't figure out what the issue is. Interestingly, this was working on the current OS not too long ago and only stopped working after we had to update the certificate chain (EDL URL updated their certificates).

 

TAC hasn't been able to help at all so I am thinking about upgrading to the current preferred release which is 10.1.10-h2 for our base version.


L2 Linker

Hi @szaidi110 I continue to use non-ssl, I have upgraded to 10.2.6 on firewalls with EDL, and planning to test ssl again, just haven't had a change window yet.   If you can, non-ssl works until upgrade test.

Cyber Elite
Cyber Elite

Hi @orbcomm ,

 

Mine continues to work fine on 10.2.4-h2 and 10.2.5.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Excellent, thanks for the feedback @TomYoung 

L1 Bithead

InfoSec would raise a flag if I bypass the cert authentication so that isn't really a choice. I guess I'll just update my firewalls to 10.2.X and see how it goes

  • 1 accepted solution
  • 6825 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!