Palo Alto Firewall: macOS Updates NSURLErrorDomain error -1012

About a month ago, I enabled decryption on my Palo Alto firewall and limited it only to traffic to and from my MacBook Pro.  It’s worked well and provided great visibility into the vast amounts of encrypted traffic that we see nowadays.

So what’s this have to do with macOS?  Apple periodically releases updates and I had read that one was just released.  I checked my laptop and saw that I had a few updates to install for the iWork suite and Xcode.  Notably missing were notifications for the core macOS system updates.  I clicked on the “Updates” button again in the Mac App Store and received the following message.:

“Oh, the operation couldn’t be completed because of the NSURLErrorDomain error -1012?  Great, real helpful.”  I tried closing an reopening the App Store with no luck.  I thought maybe my laptop just wasn’t happy because I hadn’t rebooted in a while so I tried that, but still no luck.  I searched the interwebs and found a few forum posts, but nothing too helpful.  One post included lines from /var/log/install.log so I decided to check out what mine said.

2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Scan got error The operation couldn't be completed. (NSURLErrorDomain error -1012.)
2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Ramped updates marked
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Scan for client pid 501 (/System/Library/CoreServices/Software
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host:
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host:
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Elapsed scan time = 0.2
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Error encountered in scan: Error Domain=NSURLErrorDomain Code=-1012 "(null)" UserInfo={NSErrorFailingURLStringKey=, NSErrorFailingURLKey=, NSLocalizedRecoverySuggestion=Make sure you’re connected to the Internet, and then try again., SUErrorRelatedCode=SUErrorCodeScanCatalogNotFound}

“Refusing invalid certificate from host:” — now we’re getting somewhere!  I knew immediately this was due to my Palo Alto decryption.  I checked my Monitor logs and confirmed that decryption was occurring on traffic to

So how do I solve this?  A little digging and I found that Palo Alto maintains a predefined list of URLs to exclude from decryption in Device -> Certificate Management -> SSL Decryption Exclusion.   These are URLs that Palo Alto knows will cause issues if decryption is attempted.  Interestingly, searching for “apple” in this list showed a number of predefined URLs.  One was even described as “apple-appstore: pinned-cert” suggesting that perhaps Apple has updated the URL for this, causing my decryption to break my update process.

To add my own, I clicked “Add” at the bottom, and entered the following.:

Committed the change and tried updating my laptop once more.  This time, it worked!

Stuff I recommend:

Web Hosting: SiteGround is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access
When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.

Cell Phone: Ting
I don't use many minutes or much data since I'm usually on Wi-Fi, making Ting a smart choice. It features nationwide coverage, fast LTE, and pay as you go rates.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.