Ensemble 2015.2.3 - Certificate is not valid for TLS Web client authentication

Question

Question

Glenda Anaya · Jun 9, 2016

Hi,

We recently updated Ensemble, on our Unix DEV server , from version 2013.x to 2015.2.3 (Build 855U) and when we test our SSL/TLS configuration we get the following error:

ERROR #729: Certificate /qmd/ens_chldev_1/mgr/SILCert/SILCSSSJR-CER.cer is not valid for TLS Web client authentication .

The certificate was working fine before the update in DEV and it is working fine in our PROD Unix server with Ensemble 2012.x. Any ideas why we are getting this error?

Regards

Discussion (5)0

Log in or sign up to continue

Richard Rael · Jun 15, 2016

Hi Glenda,

Don't know if you already opened an issue with the WRC about this, but I wanted to include something that might be helpful to you or others with similar issues.

When dealing with SSL/TLS issues it is helpful to use our REDEBUG routine to gather more information into the cconsole.log file:

%SYS>d ^REDEBUG
Old flag values = FF
New flag values (in Hex): FFFFFFFF

You actually enter eight capital F's to set the REDEBUG flags. This will cause a lot more logging of networking related messages into the cconsole.log file. Most are useless/info only so we don't normally run with the flags set; it would fill up the log file to quickly.

After setting these flags reproduce whatever issue you are having. In this case test the SSL/TLS connection.

Lots of new messages about the connection will be logged in cconsole.log, and these may be helpful to you to diagnose further, and may be required by Intersystems support in order for them to diagnose the issue. Might as well get this to provide upon opening an issue so that there is less delay for an answer.

When you are done reproducing the issue please set the REDEBUG flags back so that you don't fill the cconsole.log:

%SYS>d ^REDEBUG
Old flag values = FFFFFFFF
New flag values (in Hex): FF

Hope you find this helpful.

%SYS>

2 0

score 1 · Answer 1 · 2016-06-09T12:11:07-04:00

Hello Glenda. Some internal checks of certificates and private key files used by SSL configurations were added in 2015.1, so that may be related to the issue you are experiencing. I would recommend contacting the InterSystems Worldwide Response Center (WRC) for assistance in investigating the cause of this and devising a solution.

score 1 · Answer 2 · 2016-06-09T13:29:06-04:00

I just wanted to know if anybody here had the same issue, before open a support case/ticket. Thank you Aaron, I will do that.

score 0 · Answer 3 · 2016-06-15T11:30:12-04:00

Than you Richard for letting us know about that routine to debug connection issues, I was not aware.

The issue was resolved just by changing the settings; since PEM certificate already had all the CA certificates concatenated, we did not have to enter the clients credentials, once this was changed we got a SSL connection succeeded message.

Regards,

score 0 · Answer 4 · 2023-12-06T12:14:21-05:00

Encountered similar issue:

ERROR #743: CA certificate file is not valid [%OnValidateObject+97^Security.SSLConfigs.1:%SYS]

Turns out, Extension:basicConstraints field of the CA certificate must contain CA:TRUE. The BasicConstraints extension is intended primarily for CA certificates. It has a single Boolean variable, “cA”, which reflects whether or not the certificate is a CA certificate. If the certificate is a CA certificate, it can also declare a pathLen constraint that dictates how many sub-CAs are allowed to exist in the hierarchy of CAs.

To check:

Set bc=$System.Encryption.X509GetField(cer,"Extension:basicConstraints")
Write bc["CA:TRUE"