panos_import no longer imports trusted certificates

[0byt3]

Describe the bug

Unable to import certificate into panorama.

Expected behavior

I should be able to import a PEM certificate into panorama and templates.

Current behavior

I receive the error "Import of letsencrypt_chain01 failed. private key doesn't exist for csr" when using paloaltonetworks.panos.panos_import.

It seems that something has change such that importing PEM is only used for completing a certificate request now?
Used to be the case that I could use this to import trusted certificates.

Possible solution

Not sure how it is to be fixed. It used to work, but no longer does.

Steps to reproduce

- name: "Import chain certificate(s) from letsencrypt"
  paloaltonetworks.panos.panos_import:
    category: "certificate"
    certificate_name: "letsencrypt_chain01"
    format: "pem"
    filename: "{{ letsencrypt_path }}/chain01.pem"
    provider: "{{ pan_provider }}"

Context

I am trying to automate the deployment of my LetsEncrypt chain certificates into Panorama.

Your Environment

• Panorama: 10.1.10-h5
• Collection: 2.19.1
• Python: 3.11.2
• Ansible core: 2.14.3

PAN-OS Python Library

• pandevice 0.14.0
• pan-os-python 1.11.0

[horiagunica]

Hello @0byt3 !

It should still work just fine as long as the upload that you are doing is based on a CSR issue from Panorama.

High level the steps should look like this (an example):

1. Generate CSR from Panorama:

- name: Generate a csr
  paloaltonetworks.panos.panos_op:
    provider: '{{ panorama_provider_key }}'
    cmd: |
      <request>
        <certificate>
          <generate>
            <certificate-name>{{ mgmt_cert_name }}</certificate-name>
            <name>{{ ca_cn }}</name>
            <algorithm>
              <RSA>
                <rsa-nbits>2048</rsa-nbits>
              </RSA>
            </algorithm>
            <digest>sha256</digest>
            <organization>{{ ca_org }}</organization>
            <country-code>{{ ca_country }}</country-code>
            <state>{{ ca_state }}</state>
            <locality>{{ ca_location }}</locality>
            <ca>no</ca>
            <ip>
            {% for ip in ca_ipv4_list %}
              <member>{{ ip }}</member>
            {% endfor %}
            </ip>
            <signed-by>external</signed-by>
          </generate>
        </certificate>
      </request>
    cmd_is_xml: true

2. Download generated CSR (notice the cert name):

- name: Download the generated CSR
  paloaltonetworks.panos.panos_export:
    provider: '{{ panorama_provider_key }}'
    category: certificate
    certificate_name: '{{ mgmt_cert_name }}'
    certificate_format: pkcs10
    filename: 'csr/{{ inventory_hostname }}.csr'

3. After you signed the CSR - upload the cert (notice the name once more):

- name: Upload certificate
  paloaltonetworks.panos.panos_import:
    provider: '{{ panorama_provider }}'
    category: certificate
    certificate_name: "{{ mgmt_cert_name }}"
    format: pem
    filename: 'pem/{{ inventory_hostname }}.pem'
    template: '{{ ci_template_name }}'

If the certificate name won't match the generated CSR - Panorama/firewall will not "recognise" that certificate and will prompt you to also upload the private key for it.

[horiagunica]

@0byt3 did you get a chance to test/confirm the above ?

Unless we receive a reply soon - we will proceed to close the issue.