I had some trouble opening the web-based version of teamviewer: web.teamviewer.com
Long story short: The SSL certificates for static.web.teamviewer.com were issued from the new Sectigo Root CAs:
https://www.sectigo.com/faqs/detail/Sectigo-Public-Intermediates-and-Roots/kA0Uj0000003eov
You can check it by running:
openssl s_client -connect static.web.teamviewer.com:443 -showcerts
depth=2 C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
depth=1 C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
depth=0 CN = static.web.teamviewer.com
Unfortunately (at the time of writing this post) my PA-440 is missing those two new Root CAs – Sectigo Public Server Authentication Root R46 and E46. As soon as I added them (or at least the R46, as R stands for RSA and E for ECC, the 46 because they are valid until 2046 I guess) by hand the web-based teamviewer was working again.
Here’s a link to a debian bug dated february this year where a user had the same issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095913
Tested with PAN-OS 11.2.7-h4, 11.2.10 and 12.1.3-h1.
UPDATE – 20.11.2025
This seems to be a known issue. The corresponding feature request is NSFR-28902 in case someone wants to push it at Palo Alto.
Leave a Reply