Palo Alto Firewall: macOS Updates NSURLErrorDomain error -1012

This is part of the Palo Posts how-to guides for getting the most from your Palo Alto firewall on a home or small business network.

Overview

About a month ago, I enabled decryption on my Palo Alto firewall and limited it only to traffic to and from my MacBook Pro.  It’s worked well and provided great visibility into the vast amounts of encrypted traffic that we see nowadays.

So what’s this have to do with macOS?  Apple periodically releases updates and I had read that one was just released.  I checked my laptop and saw that I had a few updates to install for the iWork suite and Xcode.  Notably missing were notifications for the core macOS system updates.  I clicked on the “Updates” button again in the Mac App Store and received the following message.:

“Oh, the operation couldn’t be completed because of the NSURLErrorDomain error -1012?  Great, real helpful.”  I tried closing and reopening the App Store with no luck.  I thought maybe my laptop just wasn’t happy because I hadn’t rebooted in a while so I tried that, but still no luck.  I searched the interwebs and found a few forum posts, but nothing too helpful.  One post included lines from /var/log/install.log so I decided to check out what mine said.

2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Scan got error The operation couldn't be completed. (NSURLErrorDomain error -1012.)
2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Ramped updates marked
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Scan for client pid 501 (/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated)
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host: swscan.apple.com
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host: swscan.apple.com
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Elapsed scan time = 0.2
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Error encountered in scan: Error Domain=NSURLErrorDomain Code=-1012 "(null)" UserInfo={NSErrorFailingURLStringKey=https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog, NSErrorFailingURLKey=https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog, NSLocalizedRecoverySuggestion=Make sure you’re connected to the Internet, and then try again., SUErrorRelatedCode=SUErrorCodeScanCatalogNotFound}

“Refusing invalid certificate from host: swscan.apple.com” — now we’re getting somewhere!  I knew immediately this was due to my Palo Alto decryption.  I checked my Monitor logs and confirmed that decryption was occurring on traffic to https://swscan.apple.com.

Solution

So how do I solve this?  A little digging and I found that Palo Alto maintains a predefined list of URLs to exclude from decryption in Device -> Certificate Management -> SSL Decryption Exclusion.   These are URLs that Palo Alto knows will cause issues if decryption is attempted.  Interestingly, searching for “apple” in this list showed a number of predefined apple.com URLs.  One was even described as “apple-appstore: pinned-cert” suggesting that perhaps Apple has updated the URL for this, causing my decryption to break my update process.

To add my own, I clicked “Add” at the bottom, and entered the following.:

Committed the change and tried updating my laptop once more.  This time, it worked!

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How-To Guides For The Elastic Stack

Elastic Explained: How-To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

How To Deploy Elastic Agent on macOS with Microsoft Intune

How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security...

Transform Your Business & Operate at Peak Efficiency