ERROR #6085: Unable to write to socket with SSL/TLS configuration 'OSUWMC', error reported 'error:0909006C:PEM routines:get_name:no start line

Question

Question

Scott Roth · Jul 20, 2023

#Red Hat Enterprise Linux (RHEL) #SSL #InterSystems IRIS

I am trying to setup our first SSL/TLS configuration so we can possibly connect to the EMR FHIR server to pull data into the Interoperability engine.

I am running on Red Hat, and created and submitted a openssl CSR request to our Windows ADCS system.

I used the following command to generate the key and CSR request to submit to Windows ADCS

openssl req -new -sha512 -nodes -newkey rsa:4096 -keyout xxxxxxx.key -out xxxxxxxx.csr

When the certificate was generated I was able to download the individual certificate (cer) and the certificate chain (p7b) in DER or Base64. I downloaded everything in both formats as I wasn't sure if I need the chain or not. I copied them all down to my Red Hat server, then using openssl converted the DER cer into a PEM format. Then I updated-ca-trust as per instruction when installing new certificates.

I setup a OSUWMC SSL/TLS configuration,

, but when I try to submit a test request I am getting the following error....

DEVCLIN>set request=##class(%Net.HttpRequest).%New()

DEVCLIN>set request.Server = "ihisicbgnp.osumc.edu"

DEVCLIN>set request.Port=443

DEVCLIN>set request.SSLConfiguration="OSUWMC"

DEVCLIN>set request.Https=1

DEVCLIN>set tSC=request.Get("/",2)

DEVCLIN>do $SYSTEM.Status.DisplayError(tSC)

ERROR #6085: Unable to write to socket with SSL/TLS configuration 'OSUWMC', error reported 'error:0909006C:PEM routines:get_name:no start line, error:140DC009:SSL routines:use_certificate_chain_file:PEM lib'

Here is what messages.log shows from turning on d ^REDEBUG

07/20/23-13:24:23:776 (2558311) 0 [Generic.Event] tpopen for host ihisicbgnp.osumc.edu device number 30334840 port 443 mode 0x8848 tcpmode 0x24 terminators ibfsz 8192 obfsz 8192 queuesize 5 timeout 30 tcpsbuf=0 tcprbuf=0, XY=off, BINDTO=
07/20/23-13:24:23:802 (2558311) 0 [Generic.Event] TCPConnect: SNDBUF sys size=16384, dev size=0
07/20/23-13:24:23:802 (2558311) 0 [Generic.Event] TCPConnect: RCVBUF sys size=87380, dev size=0
07/20/23-13:24:23:803 (2558311) 0 [Generic.Event]
TCP connected to site 10.81.7.238 port 443
07/20/23-13:24:23:803 (2558311) 0 [Generic.Event] StreamInit: SNDBUF sys size=87040, dev size=0
07/20/23-13:24:23:803 (2558311) 0 [Generic.Event] StreamInit: RCVBUF sys size=369280, dev size=0
07/20/23-13:24:23:803 (2558311) 0 [Generic.Event] SSLconfig called - SSL_init = 0
07/20/23-13:24:23:803 (2558311) 0 [Generic.Event]
SSL/TLS configuration: OSUWMC
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
TLS enabled versions, minimum: 16, maximum: 32
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
Cipher list for TLSv1.2 and below: ALL:!aNULL:!eNULL:!EXP:!SSLv2
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
Ciphersuites for TLSv1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
Certificate file: /ensemble/Scott/IRISBuild/int-lxiris-vd01_DER.cer
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
error:0909006C:PEM routines:get_name:no start line
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
error:140DC009:SSL routines:use_certificate_chain_file:PEM lib
07/20/23-13:24:23:804 (2558311) 0 [Generic.Event]
TPXMIT saw TCP device fail
Did I not do something correct?

Which type of Certificate do I need to be downloading from Windows ADCS, the individual cert or the chain?
What format does the Certificate need to be in DER or Base64?
Does anyone have experience with Windows ACDS and using Linux to tell me if I am doing the right steps? OSUMC is mainly a Windows environment, and using Linux is outside the normal?

The person that creates the Certificates really doesn't know much about the Linux environment.

Product version: IRIS 2023.1

$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2023.1 (Build 229U) Fri Apr 14 2023 17:16:34 EDT

Discussion (1)1

Log in or sign up to continue

Scott Roth · Jul 20, 2023

For others I figured out the issue. Had to use the Base64 formatted Certificate Chain (p7b) from Windows ADCS (Active Directory Certificate Service).

Download Base64 p7b to /etc/pki/ca-trust/source/anchors/ in RedHat
Change ownership group to include irisusr
Change permissions to Read (666)
Convert p7b to pem

sudo openssl pkcs7 -in xxxxx.p7b -print_certs -out xxxxx.pem

When I went through testing the request I got the following...

DEVCLIN>set request=##class(%Net.HttpRequest).%New()

DEVCLIN>set request.Server = "xxxxxxxxxxxx"

DEVCLIN>set request.Port=443

DEVCLIN>set request.SSLConfiguration="OSUWMC"

DEVCLIN>set request.Https=1

DEVCLIN>set tSC=request.Get("/",2)
HTTP/1.1 200 OK
ACCEPT-RANGES: bytes
CACHE-CONTROL: private
CONTENT-ENCODING: gzip
CONTENT-LENGTH: 467
CONTENT-TYPE: text/html
DATE: Thu, 20 Jul 2023 20:08:54 GMT
ETAG: "b072b0f23afdd01:0"
LAST-MODIFIED: Fri, 02 Oct 2015 17:51:21 GMT
NTCOENT-LENGTH: 701
SERVER: Microsoft-IIS/8.5
X-POWERED-BY: ASP.NET

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#0072C6;
margin:0;
}

#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}

a img {
border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img src="iis-85.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>

2 0