This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BG
Participant
‎2025-01-07 03:05 AM

Multi-Portal certificates does not renew

Hi all,

Mobile Access and IPSec VPN blades are enabled on firewall (R81.20 JT89). A couple of days ago certificate was expiring so we used "SmartConsole -> IPSec VPN -> Repository of Certificates Available to Gateway" section to renew certificate. From there it seems that certificate is renewed but if we access to mobile access portal page or usercheck page, these portals are still using old certificate. Also Identity Collector agents can not connect to gateway because of expired certificate. We also tried to use script provided in the https://support.checkpoint.com/results/sk/sk182070 but still old certificate is in use.

Is this a TAC case or am I missing something?

0 Kudos
14 Replies
G_W_Albrecht
Legend Legend
Legend
‎2025-01-07 03:22 AM

After the script from sk182070 was used to renew, what does ./gateway_cert_util.sh -show all show ? You did perform a policy install after renewal ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
BG
Participant
‎2025-01-07 03:26 AM
In response to G_W_Albrecht

Hi,

Command output is below. After renewing certificate with the script we have installed the policy. Screenshot 2025-01-07 142407.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-01-07 03:54 AM
In response to BG

Better contact TAC (after rebooting all to be sure)...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
BG
Participant
‎2025-01-07 08:51 AM
In response to G_W_Albrecht

A reboot solved the problem. Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-07 03:32 PM
In response to BG

Believe this is a known issue currently that will be fixed in a future JHF.
I believe it is vpnd that needs to be restarted here (though a cprestart or reboot will also solve it).

Lesley
Mentor Mentor
Mentor
‎2025-01-07 08:56 AM

There are 2 certificates, one that is used for MAB and other one for IPSec VPN. Did you renew both?

Gateway -> Mobile access -> portal settings

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-07 11:01 AM
In response to Lesley

Extra tip

https://support.checkpoint.com/results/sk/sk177903

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
BG
Participant
‎2025-01-08 04:19 AM
In response to Lesley

Since we are not using 3rd party certificate for MAB I couldn't renew this certificate individually. As PhoneBoy mentioned this was a known bug, using the script provided in the article sk182070 should change the MAB certificate also. It changed but it becomes active after a reboot.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2025-01-15 04:40 AM
In response to BG

Hello Folks, 

i see this issue also on one of my customers ... 
even when we renew the builtin ipsec certificate over the SmartConsole it doesnt help.
also it was affected every third party certificate we have installed, and we have a ton of certificates installed.

Client VPN showed expired certs
IDC stopped working "PDPChannel | 1736874287 | Error with pdp 10.254.3.177 : General transport error 399"
access to all of the portal shows expired certificates, although they still (should) have valid based on the SmartConsole.

But S2S VPN to this affected sites still work, maybe it affects only the HTTP portal and not VPN ... 

Thats really a mess, Check Point makes it really hard to manage all certificates, especially when dealing with third party certificates, then you have another problem when valid certificates did not get pushed to the HTTPD proccesses! 

But at least reboot of the FW member helps!

TAC case was opened ... lets wait ...

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2025-01-15 05:53 AM
In response to Thomas_Eichelbu

New INFO

i had a very fruitful remote session with TAC.
when restarting VPND it renews the certificates!

so running:


[Expert@XXXXX:0:ACTIVE]# ps aux | grep vpnd
admin 5694 0.0 0.0 2648 576 pts/2 S+ 14:46 0:00 grep --color=auto vpnd
admin 13374 0.1 0.9 332124 77820 ? SLl 2024 170:20 vpnd 0


[Expert@XXXXX:0:ACTIVE]# kill -KILL $(pidof vpnd)
[Expert@XXXXX:0:ACTIVE]# ps aux | grep vpnd

admin 5730 73.0 0.4 229620 32912 ? R 14:47 0:00 vpnd 0
admin 5740 0.0 0.0 2648 568 pts/2 S+ 14:47 0:00 grep --color=auto vpnd

this operation will restart VPND and will change the certificate to the new one immediately!

question is still, why didnt the S2S VPN stop on the affected GW when the certificate becomes expired?
i expectet to see VPN stop immediately, but it runs and runs ... 
does the VPND use the new certificate just for "himself" but doesnt release the change to the other daemons?

RnD Task to bring a better solution is expected!

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-15 06:03 AM
In response to Thomas_Eichelbu

This is because the VPN cert is only used for internal gateways managed by same mgmt (CP to CP in same mgmt)

I assume you talk about vpn's with remote parties? They use PSK. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2025-01-15 07:47 AM
In response to Lesley

Hello, 

with "third party" i mean third party certificates, not third party VPN tunnels.
and up to this date there is not good automatic solution to gather an overview of all important third party certificates.
but thats the topic for a different story 🙂

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-15 09:20 AM
In response to Thomas_Eichelbu

Hi,

Yes I understand, I was refering to the cert under the IPSEC in the gateway object. Why VPN tunnels still work if it is expired. 

I think IDC uses portal cert but this I am not 100% sure, have to check that in lab

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Duane_Toler
Advisor
‎2025-01-15 09:50 AM
In response to Lesley

Yep, IDC uses the platform portal certificate.  This is the daemon that's not re-loading its certificate.  The IPsec VPN is reloading the certificate correctly which is why site-to-site VPNs work as expected.  The issue is for HTTPS-based endpoints, of which IDC is one.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top