12-22-2015 04:36 PM
Heads up on PAN and Certificate Trust changes
I found out through a packet capture that the Aruba controller no longer accepts an untrusted certificate from the firewall.
This was ignored in 22.214.171.124, but enforced in 126.96.36.199.
I've added the CA Trusted Root and ICA into the Aruba controllers that signed the PAN Web UI, and the PAN XMLAPI is now working again.
01-22-2016 08:18 AM
I'm still struggling with this issue. Have tried a self-signed cert on the PAN as well as a GoDaddy wildcard cert. Both function fine as the cert in place for the PAN's Web UI, but I am not able to make the Aruba controller get happy with the XML-API by loading either of them. Was there some trick to that?
02-08-2016 03:22 PM
I'm using a UCC certificate (i.e. CN=host.domain.name). I wonder whether wildcard may be unsupported, and whether a self-signed certificate might need the FQDN (or IP address) to be included in the CN or SAN fields.
In either case, capturing the TLS negotiation will show the failure reason via the Alert codes, either the server rejecting the client, or the client rejecting the server.
You could also use the openssl toolkit to help troubleshoot TLS server problems, see command "openssl s_client -connect paloaltohost.domain.com:443".
02-08-2016 05:05 PM
I tried swapping back and forth between a wildcard cert, a self signed cert, and changing from IP to hostname on the self-signed cert. Eventually, it started working with the self-signed when I deleted and re-entered the PA config section. So it seemed to me that you have to delete and recreate your PA info AFTER uploading the certificate. *shrug*
02-09-2016 02:44 PM
Probably need to redo config to remove and load the new cert into memory.
I would think a controller reboot would also accomplish the same thing, but who can afford the downtime.