DICOM TLS between Orthanc and pynetDicom fails with error ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL error

Question

I am trying to create a secure communication between Orthanc(client on my local (Mac)) and pynetDicom(server on my EC2). For this I obtained X.509 certificate from Lets Encrypt. I have added the certs to pynetDicom like this in the pythons ssl context

# Set up TLS
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE, password=None)

# If a certificate chain file is needed
context.load_verify_locations(cafile=CHAIN_FILE)

ae.tls_server_context = context

assoc = ae.start_server(
    (NODE_IP, NODE_PORT),
    ae_title=AE_TITLE,
    evt_handlers=handlers,
    ssl_context=ae.tls_server_context  # Enable TLS
)

I tried testing the TLS connection with openssl and it works with -partialChain tag, with an error at the end: openssl s_client -connect pacs.avendahealth.com:443 -CAfile /Users/sumitjanawlekar/pynetDicom_cert/fullchain.pem -partial_chain with

 Start Time: 1695710162
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:

Without the partialChain tag it fails with error

Start Time: 1695710953
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: no
---
80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:

When I try sending Dicom data from Orthanc, it fails with this reason.

ErrorCode: 9
ErrorDescription: Error in the network protocol
ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL error

I am new to this, how can I make this work?

PSA: the connection works fine as I turn off TLS. Also the request flows like this DICOM Client -> aws network load balancer (NLB) -> Ec2(pynetDicom running here). I even tried terminating TLS at the NLB level, still same error

I have tried TLS termination, encryption at pynetDicom level, I even tried local setup (client and server both as Orthanc running on local), testing with tools like openssl etc. All did not work.

Answer 1

Issue:

The TLS error was due to the way the trust chain is evaluated in CA-signed certificates. In a traditional HTTPS workflow, browsers already have the root certificates of known CAs, but DICOM-TLS requests are initiated by a DICOM server, not a browser. This requires us to manually provide the complete certificate chain.

Solution:

1.  Understand the Certificate Chain:
•   Server Certificate: The certificate our application or server uses.
•   Intermediate Certificate: The certificate that signed the Server Certificate.
•   Root Certificate: The certificate that signed the Intermediate Certificate.
2.  Obtain Certificates:
•   When issuing a certificate from Let’s Encrypt, you receive the Server Certificate and the Intermediate Certificate but not the Root Certificate.
3.  Get the Root Certificate:
•   Look up the Root Certificate that signed the Intermediate Certificate and download it from Let’s Encrypt’s Chain of Trust.
4.  Concatenate Certificates:
•   Concatenate the Server, Intermediate, and Root Certificates into one file. However, if you are using Certbot, the fullchain.pem file already includes the Server and Intermediate Certificates concatenated. You just need to add the Root Certificate.
5.  Configure Orthanc:
•   Use the fullchain.pem (or the concatenated certificate file) in your Orthanc configuration.

Update the Orthanc configuration file to include the path to the concatenated certificate:

{ "DicomTlsTrustedCertificates": "/path/to/your/concatenated.pem" }

The Trust chain is explained here in more detail https://letsencrypt.org/certificates/