· Jun 9, 2016

Ensemble 2015.2.3 - Certificate is not valid for TLS Web client authentication


We recently updated Ensemble, on our Unix DEV server , from version 2013.x to 2015.2.3 (Build 855U) and when we test our SSL/TLS configuration we get the following error:

ERROR #729: Certificate /qmd/ens_chldev_1/mgr/SILCert/SILCSSSJR-CER.cer is not valid for TLS Web client authentication .

The certificate was working fine before the update in DEV and it is working fine in our PROD Unix server with Ensemble 2012.x.  Any ideas why we are getting this error?



Discussion (5)0
Log in or sign up to continue

Hi Glenda,

Don't know if you already opened an issue with the WRC about this, but I wanted to include something that might be helpful to you or others with similar issues.

When dealing with SSL/TLS issues it is helpful to use our REDEBUG routine to gather more information into the cconsole.log file:

Old flag values = FF
 New flag values (in Hex): FFFFFFFF

You actually enter eight capital F's to set the REDEBUG flags.  This will cause a lot more logging of networking related messages into the cconsole.log file.  Most are useless/info only so we don't normally run with the flags set; it would fill up the log file to quickly.

After setting these flags reproduce whatever issue you are having.  In this case test the SSL/TLS connection.

Lots of new messages about the connection will be logged in cconsole.log, and these may be helpful to you to diagnose further, and may be required by Intersystems support in order for them to diagnose the issue.  Might as well get this to provide upon opening an issue so that there is less delay for an answer.

When you are done reproducing the issue please set the REDEBUG flags back so that you don't fill the cconsole.log:
Old flag values = FFFFFFFF
 New flag values (in Hex): FF
Hope you find this helpful.

Than you Richard for letting us know about that routine to debug connection issues, I was not aware.

The issue was resolved just by changing the settings; since PEM certificate already had all the CA certificates concatenated, we did not have to enter the clients credentials, once this was changed we got a SSL connection succeeded message.



Encountered similar issue:

ERROR #743: CA certificate file is not valid [%OnValidateObject+97^Security.SSLConfigs.1:%SYS]

Turns out, Extension:basicConstraints field of the CA certificate must contain CA:TRUE. The BasicConstraints extension is intended primarily for CA certificates. It has a single Boolean variable, “cA”, which reflects whether or not the certificate is a CA certificate. If the certificate is a CA certificate, it can also declare a pathLen constraint that dictates how many sub-CAs are allowed to exist in the hierarchy of CAs.

To check:

Set bc=$System.Encryption.X509GetField(cer,"Extension:basicConstraints")
Write bc["CA:TRUE"