Filr Desktop client is unable to connect due to a nested ASN1 error

  • 7018096
  • 26-Sep-2016
  • 12-Oct-2016

Environment

Novell Filr 2.0 Desktop client

Situation

Unable to connect with a Filr 2.0 Desktop Client using only one or a few Windows Desktops in an environment.

No obvious error, but the filr.log of the affected workstation shows the following error:
[ui-1] [INFO] Requesting / REST resource (GET)... (aca.onprem.apiserver.restapi)
[ui-1] [INFO] Completed request for / REST resource (GET) (aca.onprem.apiserver.restapi)
[ui-1] [INFO] Error: (218640442) nested asn1 error (_ssl.c:2626) (aca.onprem.auth)
[ui-1] [ERROR] Exception: <class 'aca.excepts.ConnectionError'> (aca.excepts)
Traceback (most recent call last):
  File "aca\onprem\auth.pyo", line 154, in Apply
  File "aca\onprem\apiserver.pyo", line 504, in VerifyAuthorization
  File "aca\onprem\restapi.pyo", line 238, in VerifyAuthorization
  File "aca\onprem\restapi.pyo", line 154, in GetReleaseInfo
  File "aca\onprem\restapi.pyo", line 147, in GetUriFromRoot
  File "aca\onprem\restapi.pyo", line 135, in GetApiRoot
  File "aca\onprem\restapi.pyo", line 179, in MakeJSONRESTRequest
  File "aca\onprem\restapi.pyo", line 217, in MakeRESTRequest
ConnectionError: (218640442) nested asn1 error (_ssl.c:2626)

Removing or replacing the all-cert.pem of the affected workstation does not resolve the problem.

Resolution

[Micro Focus Filr Desktop Engineering have been made aware of this issue and are looking into this matter for a permanent solution]

The following workaround can be used in the mean time; using a Linux machine that has openssl installed, using a third party perl script cert-split.pl which can be obtained here.

Then go trough these steps:
01. Obtain the all-certs.pem from the %LOCALAPPDATA%\Novell\Filr of the affected workstation.

02. Upload the all-certs.pem  and the cert-split.pl to the Linux machine.

03. Connect to the Linux' command prompt either over ssh or via the console.

04. To make sure cert-split.pl is able to process the all-certs.pem, make sure the file is in unix format.
linux~:# dos2unix all-certs.pem

05. Use the perl script to split all the certificates from the all-certs.pem.
linux:~# ./cert-split.pl ./all-certs.pem
This will prompt for a file name for each certificate stored in the all-certs.pem.
When there is a faulty certificate in the all-certs.pem, using cert-split.py will show an error for the faulty certificate when it is being processed:
Found a complete certificate:
unable to load certificate
14955:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1323:
14955:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:389:Type=X509_CINF
14955:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=cert_info, Type=X509
14955:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:


What file should this be saved to?
Defective.pem
Certificate saved

06. Download the Defective.pem file to the workstation and read it's properties to determine the faulty certificate details (opensll is unable to read the properties). Double-clicking the file should suffice.

07. Using the information obtained in step 06, locate the certificate in the Windows Certificate Store and remove it.
(Note: If this is a required certificate for other services, verify with the vendor or distributor if they can provide you with a regenerated or newer version of that certificate.)

08. Although the all-certs.pem is regenerated each time the Filr Desktop Client starts, it is a good precaution to remove that file from the affected workstation.

09. Restart the workstation.

After these steps, the Filr Desktop Client should be able to connect to the Filr system.

Cause

The all-certs.pem file is generated when the Filr desktop Client is started, and contains all the certificates that are installed on the workstation.

One or more of the certificates installed on the workstation is invalid or corrupted, causing the verification of all certificates to fail.