pandevice.errors.PanURLError: URLError: reason: [SSL: CERTIFICATE_VERIFY_FAILED]

[irom77]

Getting below since 2 days, my Panorama is 7.1.9 and firewall 7.1.7:

python pandevice.pano.commit_all.py
Traceback (most recent call last):
  File "pandevice.pano.commit_all.py", line 18, in <module>
    id=pano.commit_all(cmd="<commit-all><shared-policy><include-template>yes</include-template><device-group><entry name='MR-DC1-PROD'/></device-group></shared-policy></commit-all>")
  File "/usr/lib/python2.7/site-packages/pandevice/panorama.py", line 186, in commit_all
    cmd=cmd)
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 2293, in _commit
    commit_response = self.xapi.commit(cmd=cmd,
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 1646, in xapi
    self._xapi_private = self.generate_xapi()
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 1694, in generate_xapi
    kwargs = {'api_key': self.api_key,
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 1640, in api_key
    self._api_key = self._retrieve_api_key()
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 1780, in _retrieve_api_key
    xapi.keygen(retry_on_peer=False)
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 1571, in method
    raise the_exception
pandevice.errors.PanURLError: URLError: reason: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Here is my simple script:

$ cat pandevice.pano.commit_all.py 
#!/usr/bin/python
#.....imports omitted
import time
pano = panorama.Panorama("10.34.2.249", "admin", "password")
id=pano.commit_all(cmd="<commit-all><shared-policy><include-template>yes</include-template><device-group><entry name='MR-DC1-PROD'/></device-group></shared-policy></commit-all>")
time.sleep(300)
cmd = 'show jobs id "' + id + '"'
print pano.op(cmd, xml=True)

[lampwins]

From https://live.paloaltonetworks.com/t5/General-Topics/Panorama-Certificate-Expiration-on-June-16-2017/m-p/150948

IMPORTANT NOTE: Please do not install software versions 7.1.9, 8.0.0 or 8.0.1 on Panorama or log collectors after Friday, June 16, 2017. Doing so will replace the CA certificate on your Panorama or log collectors, causing firewall communications to fail. We plan to remove these releases (PAN-OS 7.1.9, 8.0.0 or 8.0.1 for Panorama) from our update server during the week of May 29, 2017. For more details, please see the below FAQ.

I would try upgrading your panorama and making sure the most up to date content is installed.

[irom77]

Appreciate so which one is good, i.e. 7.1.10 on Panorama ?

[lampwins]

I think 7.1.11 is current recommended, but don't quote me on that.

On Thu, Aug 3, 2017 at 9:53 AM, Irek Romaniuk [email protected] wrote:

Appreciate so which one is good, i.e. 7.1.10 on Panorama ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PaloAltoNetworks/pandevice/issues/87#issuecomment-319975488, or mute the thread https://github.com/notifications/unsubscribe-auth/ABPK7JwaZyzW8ahLKss1UJxH_N78_ldgks5sUdD3gaJpZM4OsUYL .

[irom77]

sure I will upgrade Panorama to the most recent 7.1.xx, thnx

[irom77]

But while manual commit works just fine ?

[amb1s1]

Any fix or bypass? I upgraded to 7.1.11 and I still get that error.

[amb1s1]

My issue was that I was using a call from a proxy and not directly.