Glenda Anaya · Jun 9, 2016

Ensemble 2015.2.3 - Certificate is not valid for TLS Web client authentication


We recently updated Ensemble, on our Unix DEV server , from version 2013.x to 2015.2.3 (Build 855U) and when we test our SSL/TLS configuration we get the following error:

ERROR #729: Certificate /qmd/ens_chldev_1/mgr/SILCert/SILCSSSJR-CER.cer is not valid for TLS Web client authentication .

The certificate was working fine before the update in DEV and it is working fine in our PROD Unix server with Ensemble 2012.x.  Any ideas why we are getting this error?



0 1,663
Discussion (4)0
Log in or sign up to continue

Hello Glenda. Some internal checks of certificates and private key files used by SSL configurations were added in 2015.1, so that may be related to the issue you are experiencing. I would recommend contacting the InterSystems Worldwide Response Center (WRC) for assistance in investigating the cause of this and devising a solution.

I just wanted to know if anybody here had the same issue, before open a support case/ticket. Thank you  Aaron, I will do that.

Hi Glenda,

Don't know if you already opened an issue with the WRC about this, but I wanted to include something that might be helpful to you or others with similar issues.

When dealing with SSL/TLS issues it is helpful to use our REDEBUG routine to gather more information into the cconsole.log file:

Old flag values = FF
 New flag values (in Hex): FFFFFFFF

You actually enter eight capital F's to set the REDEBUG flags.  This will cause a lot more logging of networking related messages into the cconsole.log file.  Most are useless/info only so we don't normally run with the flags set; it would fill up the log file to quickly.

After setting these flags reproduce whatever issue you are having.  In this case test the SSL/TLS connection.

Lots of new messages about the connection will be logged in cconsole.log, and these may be helpful to you to diagnose further, and may be required by Intersystems support in order for them to diagnose the issue.  Might as well get this to provide upon opening an issue so that there is less delay for an answer.

When you are done reproducing the issue please set the REDEBUG flags back so that you don't fill the cconsole.log:
Old flag values = FFFFFFFF
 New flag values (in Hex): FF
Hope you find this helpful.

Than you Richard for letting us know about that routine to debug connection issues, I was not aware.

The issue was resolved just by changing the settings; since PEM certificate already had all the CA certificates concatenated, we did not have to enter the clients credentials, once this was changed we got a SSL connection succeeded message.