SEP debugger - continued issues with 'Self signed certificate' error

[heymchri]

When trying to set an Service Entry Point, I frequently get an error message:
"EQAVS1007E xxxxxxx.yyyyy.COM on port 8005 could not be connected.
Message received: self signed certificate"

Why is this happening? This is the cert that gets generated by the Debug Service. Is there a setting somewhere that causes self signed certificates to be disallowed? We use other self signed certs on this same partition without issues.

Also, when trying to use an external CA signed cert (Sectigo), I get the issue described in #2309.

---

Context	Version
Code for IBM i version	2.13.5
Visual Studio Code version	1.95.0
Operating System	darwin_arm64

Active extensions

.NET Install Tool (vscode-dotnet-runtime): 2.2.1
CL (vscode-clle): 1.1.7
COBOL (cobol): 24.10.26
Code for IBM i Walkthroughs (vscode-ibmi-walkthroughs): 0.5.0
Configuration Editing (configuration-editing): 1.0.0
Db2 for IBM i (vscode-db2i): 1.6.1
Dev Containers (remote-containers): 0.388.0
Emmet (emmet): 1.0.0
Error Lens (errorlens): 3.20.0
Excel Viewer (gc-excelviewer): 4.2.62
Extension Authoring (extension-editing): 1.0.0
Git (git): 1.0.0
Git Base (git-base): 1.0.0
GitHub (github): 0.0.1
IBM i Debug (ibmidebug): 2.0.1
JSON Language Features (json-language-features): 1.0.0
Merge Conflict (merge-conflict): 1.0.0
NPM support for VS Code (npm): 1.0.1
Node Debug Auto-attach (debug-auto-launch): 1.0.0
Overtype (overtype): 0.5.0
Prettier - Code formatter (prettier-vscode): 11.0.0
Print (vscode-print): 0.13.2
RPGLE (vscode-rpgle): 0.26.12
Server Ready Action (debug-server-ready): 1.0.0
TODO Highlight (vscode-todo-highlight): 1.0.5
TypeScript and JavaScript Language Features (typescript-language-features): 1.0.0
vscode-icons (vscode-icons): 12.9.0

---

Remote system

Setting	Value
IBM i OS	V7R5M0
Tech Refresh	4
CCSID Origin	37
Runtime CCSID	37
Default CCSID	37
SQL	Enabled
Source dates	Disabled

Enabled features

/QOpenSys/pkgs/bin	/usr/bin	/QSYS.lib/ILEDITOR.lib	/QSYS.LIB	/QIBM/ProdData/IBMiDebugService/bin	/QOpenSys/QIBM/ProdData/JavaVM/jdk80	/QOpenSys/QIBM/ProdData/JavaVM/jdk11	/QOpenSys/QIBM/ProdData/JavaVM/jdk17
bash	attr	GETNEWLIBL.PGM	QZDFMDB2.PGM	startDebugService.sh	64bit	64bit	64bit
chsh	iconv
ls	setccsid
md5sum	tar
sort
stat
tn5250

Shell env

BUILDLIB=AEALIB
CURLIB=AEALIB
HOME=/home/HEYMCHR
HOST=usalil2c.infor.com
LIBLS=AMXLIBB AMFLIBB AEALIB AEFLIB XA10FLIB QTEMP QGPL
LOGIN=heymchr
LOGNAME=heymchr
MAIL=/var/spool/mail/heymchr
OLDPWD=/home/HEYMCHR
PATH=/QOpenSys/pkgs/bin:/QOpenSys/usr/bin:/usr/ccs/bin:/QOpenSys/usr/bin/X11:/usr/sbin:.:/usr/bin:/QOpenSys/usr/bin:/usr/bin
PWD=/home/HEYMCHR
SHELL=/QOpenSys/pkgs/bin/bash
SHLVL=1
SSH_CLIENT=10.61.1.35 59329 22
SSH_CONNECTION=10.61.1.35 59329 10.39.80.80 22
TZ=<EST>5<EDT>,M3.2.0,M11.1.0
USER=heymchr
USERNAME=heymchr
WORKDIR=/home/HEYMCHR
_=/QOpenSys/pkgs/bin/env

Variants

{
  "american": "#@$",
  "local": "#@$"
}

Errors

[
  {
    "command": "/QOpenSys/usr/bin/qsh",
    "code": 1,
    "stderr": "CPF4102:  File EVFEVENT in library QGPL with member EDNRPGLE not found.\nCPF2803:  To-file EVFEVENT in QGPL not allowed.\nCPF2817:  Copy command ended because of error.",
    "cwd": "/home/HEYMCHR"
  },
  {
    "command": "/QOpenSys/usr/bin/qsh",
    "code": 1,
    "stderr": "CPD0048:  List of values not valid for parameter FILE.\nCPF0001:  Error found on DSPFFD command.",
    "cwd": "/home/HEYMCHR"
  },
  {
    "command": "/QOpenSys/usr/bin/qsh",
    "code": 1,
    "stderr": "CPF3012:  File OBJFPCLA in library *LIBL not found.",
    "cwd": "/home/HEYMCHR"
  }
]

[mkwan01]

@heymchri Here are the things you can try:

1. Remove the two host certificate files (debug_service.pfx and debug_service.crt) under /QIBM/UserData/IBMiDebugService/certs and also remove the client certificate file on client machine (under C:\Users\%UserID%\%HOSTNAME%_debug_service.crt on Windows). Then regenerate the certificates from VSCode.
2. Do a binary comparison between the host file /QIBM/UserData/IBMiDebugService/certs/debug_service.crt and the client file C:\Users\%UserID%\%HOSTNAME%_debug_service.crt. They should have the same content.
3. Run the following openssl command on the client machine to test the debug SSL connection:

openssl s_client -host ibmi_host -port 8005

[mkwan01]

The most likely cause is that the host file debug_service.crt and the client file %HOSTNAME%_debug_service.crt do not match.

[heymchri]

@mkwan01 I can no longer seem to reproduce this, so I will close this issue. Maybe something in VS Code for i changed since I had this issue at 2.13.5 but I'm now at 2.13.6. Anyways, thanks for the pointers and I'll open a new issue if I run into this again in the future.

[heymchri]

@mkwan01 I'm reopening this issue - after installing a cert signed by an external CA, when trying to set a SEP, I get this error:

Testing the debug SSL connection shows:
openssl s_client -host usalil2c.infor.com -port 8005

Connecting to 10.39.80.80
CONNECTED(00000005)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
verify return:1
depth=1 C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C=US, ST=New York, O=Infor, US LLC, CN=usalil2c.infor.com
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, O=Infor, US LLC, CN=usalil2c.infor.com
   i:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 20 00:00:00 2023 GMT; NotAfter: Dec 19 23:59:59 2024 GMT
 1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
 3 s:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Jan  1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH5jCCBs6gAwIBAgIQQjDRwv34nvGXFaBAlysLnTANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
... (some lines removed)
wt9eNpzPpYrvfIHm6Bw3Zen9Vw5H/ScJoSzeaccQMWLU/4V8+bLekjXwyVtomTAJ
CiIsCIpYMW6vew==
-----END CERTIFICATE-----
subject=C=US, ST=New York, O=Infor, US LLC, CN=usalil2c.infor.com
issuer=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6849 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 3F86CC5C1BC088E9EF9F75689499AE336EDBC282C77D35E3CEA2DFD12CB27DCE
    Session-ID-ctx:
    Resumption PSK: 3C66DF9EE9EC8C1CF4F1E47A5BE04C41C03513FA9F23E9F1FFCF83D0D29B6F6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 16 77 1d 1b 4e 40 aa 5b-00 00 00 00 00 00 00 01   .w..N@.[........
    0010 - 0a 7e 97 60 c5 10 cc b1-c7 bf 86 3c 33 09 26 8d   .~.`.......<3.&.
    0020 - 7e a4 6d c2 bd ab ef b2-c4 94 2c 22 c4 cb a9 9d   ~.m.......,"....
    0030 - c6 91 f6 2a bc d3 1b 59-96 15 7e cd 50 39 58 63   ...*...Y..~.P9Xc
    0040 - de fe 03 19 58 ff b2 86-84 3f b1 30 35 79 6d ae   ....X....?.05ym.
    0050 - 7e de f4 fe 23 da a5 c0-49 4e 0b ee ec b0 95 04   ~...#...IN......
    0060 - d4 2a a5 6d 94 c2 a6 58-89 3d cc 86 88 4d 91 e0   .*.m...X.=...M..
    0070 - 18 da ed 17 cf 4a 43 11-63 13 b8 55 be 13 95 01   .....JC.c..U....
    0080 - c9 85 7b 8e 9a 82 89 eb-52 ef ae 81 c4 53 cb d9   ..{.....R....S..
    0090 - 04 2a 12 10 a9 ab 13 da-4c 04 66 3c 9d fe a3 77   .*......L.f<...w
    00a0 - be d6 cc 15 41 b2 dd b6-f0 f2 31 3f 93 d6 8d 24   ....A.....1?...$

    Start Time: 1732057517
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

I did a diff to compare my local crt file vs. the one on the IBM i - they are identical.

.log file shows:

!SESSION 2024-11-19 18:06:50.050 -----------------------------------------------
eclipse.buildId=unknown
java.fullversion=11.0.24+8
JRE 11 OS/400 ppc64-64-Bit Compressed References 20240913_16 (JIT enabled, AOT enabled)
OpenJ9   - 1a6f6128aa
OMR      - 840a9adba
JCL      - 253a1f4554 based on jdk-11.0.24+8
BootLoader constants: OS=os/400, ARCH=ppc64, WS=unknown, NL=en_US
Framework arguments:  -application com.ibm.etools.iseries.daas.application -localonly -secureport=8005 -port=8001 -sepdaemonport=8008 -keystore=/QIBM/UserData/IBMiDebugService/certs/debug_service.pfx -keystorepassword=O/Jo34hTDMNY1mRWXS8O9w==
Command-line arguments:  -application com.ibm.etools.iseries.daas.application -data /QIBM/UserData/IBMiDebugService/startDebugService_workspace -localonly -secureport=8005 -port=8001 -sepdaemonport=8008 -keystore=/QIBM/UserData/IBMiDebugService/certs/debug_service.pfx -keystorepassword=O/Jo34hTDMNY1mRWXS8O9w==

!ENTRY org.eclipse.core.resources 2 10035 2024-11-19 18:06:59.209
!MESSAGE The workspace exited with unsaved changes in the previous session; refreshing workspace to recover changes.

[mkwan01]

@heymchri We want to know whether this issue is specific to CA signed certificates. As the first step, can you verify whether the debug connection is OK if you use the Code for IBM i generated certificate? The Code for IBM i generated certificate is a self-signed certificate without a CA. Your new certificate seems to be a chained certificate that contains two intermediate CAs and one root CA.

[mkwan01]

If the issue is specific to CA signed certificates, please open the local debug_service.crt file in an editor and report how many certificates are contained in the .crt file. If the .crt file contains multiple blocks of "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" clauses, then it contains multiple certificates. I would guess the .crt file only contains one certificate in your case.

[heymchri]

@mkwan01 I can't make sense of what's going on - I've been debugging all last week with internal certs (just regular batch debugging - no SEP). This morning I reconnect to the system, try to debug, and I get the dreaded 'Self Signed Certificate' error again. I try a bunch of scenarios, regenerating internal cert, quitting/restarting VS Code, installing CA cert, etc. but no matter what I do, I keep getting the 'Self Signed Certificate' error, on both partitions I'm testing with. I then must have done something different as suddenly the issue goes away and I can debug as batch with the internal cert on one of the partitions, and when I then go back to the other partitions, it magically works there as well now (although I didn't make any changes to that partition). So it almost seems like some kind of caching issue?

I then try to install the CA signed cert on that second partition, and lo and behold, I now get the 'self signed certificate in certificate chain' error.
The CA signed cert contains a single "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" block.

Output of the 'openssl s_client -host usalid06.infor.com -port 8005' command:

Connecting to 10.39.80.55
CONNECTED(00000005)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
verify return:1
depth=1 C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C=US, ST=New York, O=Infor (US), LLC, CN=usalid06.infor.com
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, O=Infor (US), LLC, CN=usalid06.infor.com
   i:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  8 00:00:00 2024 GMT; NotAfter: Nov  8 23:59:59 2025 GMT
 1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
 3 s:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Jan  1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH6jCCBtKgAwIBAgIRAKgqH+SdbgEkvJyncJcixBwwDQYJKoZIhvcNAQELBQAw
gZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE9MDsGA1UE
AxM0U2VjdGlnbyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0yNDExMDgwMDAwMDBaFw0yNTExMDgyMzU5NTlaMFcxCzAJBgNV
BAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEYMBYGA1UEChMPSW5mb3IgKFVTKSwg
TExDMRswGQYDVQQDExJ1c2FsaWQwNi5pbmZvci5jb20wggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDS+Kibv2OMwJI8QYBkfc49H7J32bEgO4+omeMLcUrU
X3uA9SeROXSucFTPtChrR1/K/upeqiZVDK0goTFslqESsXooEHfFMcR/lU8Fs66b
5QmjJXQ5QWu42jXe1lRfgtnLY34nk7h6vCPBYvqQ7BTxWUFlFZ+UT2SNRodgskSx
pybmJYjYgGqk1ucxeH8lWHXKSJ2sLOV1du6OGMSAtQDoxea87WSwcJAXF+dTq/01
LAT1V5HwOtLn0f+QqY+di4hAKfIRLQ3lvZMcXtF79OJRlVOnpakTbO0HdXyrwo92
GWJslDKBI9/9mfD24FjoGEiUVo20oonER67b6XJ7q2YCDtSEZ0Zhi9fBDP8k4e5x
IsOEdJ8s46Ci5KjRpy2X8mBJtRntOROzannKHgWGX+8VQV2u+VEwkJ4Fg16V4ITH
2ocJRa042n0Z6IAAGxi8vuoYD3ZWwE3UPxsuxY4BolQ8jVvTau4VorSIP4NtkeD4
oVAAs0zCDeNymoa16tHWIhGf3HCFZSizmf1CuWbAf8GJt/a3x3rw8gNvtmDYb4JJ
KGBfVAQBgXwdF5fyw4RzC/GFubcTO9fXS7BbLYx7t/Nwnf+BBqams1A5MeBbvMwd
/SuoDYtK3PrvRFOJ4ZZiQ6RKUYOIo4Pc9hn9nRLvJZQ67wWwfzdWQC/TRczss32F
eQIDAQABo4IDcDCCA2wwHwYDVR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+sw
HQYDVR0OBBYEFGxNQhnwKu+M4BaZ3WGM69pJ0/D/MA4GA1UdDwEB/wQEAwIFoDAM
BgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNV
HSAEQzBBMDUGDCsGAQQBsjEBAgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3Nl
Y3RpZ28uY29tL0NQUzAIBgZngQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDov
L2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlv
blNlY3VyZVNlcnZlckNBLmNybDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAC
hklodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25W
YWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8v
b2NzcC5zZWN0aWdvLmNvbTA1BgNVHREELjAsghJ1c2FsaWQwNi5pbmZvci5jb22C
Fnd3dy51c2FsaWQwNi5pbmZvci5jb20wggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsB
aQB2AN3cyjSV1+EWBeeVMvrHn/g9HFDf2wA6FBJ2Ciysu8gqAAABkw0p7YkAAAQD
AEcwRQIgJSdlrXG0pEEPEu//i0uIe+uc2/A6xOfJPurxp4T47dACIQDcvtp4kxXF
N3Rlb13gE5vJp2rCdLbothjMjVa7OG7qiAB2AMz7D2qFcQll/pWbU87psnwi6YVc
DZeNtql+VMD+TA2wAAABkw0p7VYAAAQDAEcwRQIgAuApBBwWR3cQkPyLJRR3qZjs
vE4+7diHAAY9DjqJztUCIQDA5ffIxZw/hKjb4mcy67Km1CoXthhpPfBIJoEHcoax
GQB3ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6AAABkw0p7WQAAAQD
AEgwRgIhAO5lpot2/X/HWxoe66rQ9eMq/lHZb9v2rWs/J374Qp/VAiEA8RZ9rg3N
wckYYre6KYmqomzr3I7mWmKdeeQ8a0HeDeIwDQYJKoZIhvcNAQELBQADggEBACe4
B+hXq67PMI+5bsTBH75E77ObvA9JGOTwvwImr0xEjf9nMeQr1XDy6dtSx/mtmLyC
ufTe/kHvAnLNE5+0PGjMgdjmXSkHEXjBQjyqd/kHUve3NxSwVfHSLPceONGX7/sZ
as4nr7535AvpRbUkU1IqpcYPyuG51rld0i6Pc7IFw6qD0ZSofRY01Ps0/w500yK6
9aU/Y4Axj+c0fr7A09a1rZIRCsumSLHK0Eky6ayfot65apEpZe+pRtNAYFx9+sX6
flWDRXyho0litRn/ErM24agWfnzYguu6MDLfkwIwTXz8ivTYje7ktQDOaBU6SEQH
Ow4bA2sQgxpcvaUcFdI=
-----END CERTIFICATE-----
subject=C=US, ST=New York, O=Infor (US), LLC, CN=usalid06.infor.com
issuer=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6853 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 3A94938DD8965FCA804893C2CF48E564C2E31B1649AA8986E2D79DCEDE166560
    Session-ID-ctx:
    Resumption PSK: E7428B5D691CCDC799FD28697CD07F29AA554B47E73D0D7B5C77CD20F455EC0E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - e5 ba f1 1f cb e8 d9 91-00 00 00 00 00 00 00 01   ................
    0010 - 50 39 6b eb 15 5f 21 b5-4f 66 0d 5e b7 9f bc 81   P9k.._!.Of.^....
    0020 - 24 15 1a 91 a1 9e 48 69-95 94 19 ed 48 b0 72 31   $.....Hi....H.r1
    0030 - f6 ed 18 bc 0b bd 71 69-7d 0f 89 e5 9b 3b 89 f7   ......qi}....;..
    0040 - 20 4e b3 04 32 1c e1 c4-5f 6c bd a0 7d 99 82 14    N..2..._l..}...
    0050 - 92 b4 b2 43 03 3c e2 bb-dd 09 57 b4 da 61 1a 15   ...C.<....W..a..
    0060 - 58 72 d1 0f 03 51 20 ee-8c a2 3d 7c 97 9c 91 4e   Xr...Q ...=|...N
    0070 - 6f 61 61 19 16 09 7c 64-b9 fa 18 3f 55 a4 20 e4   oaa...|d...?U. .
    0080 - 4b 63 58 5b ec d5 eb 20-97 a2 39 5a 16 fd 7d a3   KcX[... ..9Z..}.
    0090 - 8d 2f a0 a5 08 c4 b4 94-1f f8 e4 0d c4 6a f9 d7   ./...........j..
    00a0 - ee a9 b6 e8 45 61 73 ca-3e 62 46 32 42 d2 82 8b   ....Eas.>bF2B...

    Start Time: 1732549080
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

[mkwan01]

@heymchri Does the second partition have a different host name or IP address? The generated certificate could be signed with the hostname or IP. If the hostname or IP is different, then we need to regenerate the certificate. As you have a chained certificate, one other option you can try is to generate a .pem file instead of the .crt file and make sure that the .pem file includes all certificates in the chain. You can then rename the .pem to a .crt on the client machine and see whether the new .pem that includes all certificates would work.

[mkwan01]

@heymchri One other thing you can try is to insert the following launch configuration into the VS Code launch.json file in the problem partition and use this launch config to start a debug session:

{

            "type": "IBMiDebug",
            "request": "launch",
            "subType": "batch",
            "name": "Remote debug: Launch a batch debug session",
            "user": "your_id",
            "password": "${command:AskForPassword}",
            "host": "your_ibmi_host",
            "port": 8005,
            "secure": true,
            "ignoreCertificateErrors": true,
            "library": "your_library",
            "program": "your_program",
            "startBatchJobCommand": "",
            "updateProductionFiles": false,
            "trace": true

    }, 

The only difference between this and the integrated launch is the "ignoreCertificateErrors" attribute. It is set to false in the integrated launch. You can report back whether this solution works for you.

[heymchri]

Hi @mkwan01 next time I run into a 'Self Signed Certificate' error, I'll try your launch configuration suggestion.

[heymchri]

@mkwan01 just ran into the 'Self Signed Certificate' error again. Was working OK yesterday. Seems to happen whenever I switch between partitions. In any case, I tried the launch configuration and that worked - debug editor came up without error messages.

[heymchri]

@mkwan01 Also of note: I disconnected from the system, quit VS Code, restarted it, reconnected to the system, and the regular Debug as Batch function (i.e., not using the launch config) worked just fine - no cert errors. Didn't make any config changes at all in between. So at almost seems something is being cached that shouldn't, and it gets reset when exiting/restarting VS Code?

[heymchri]

@mkwan01 I ran into the 'self signed certificate' error again this morning - not only for SEP debugging for also for regular batch debugging. The error message showed up for all systems I tested (4 partitions). Disconnecting/reconnecting, stopping/restarting the debug service job, exiting/restarting VS Code didn't help. I then regenerated the cert for one of the partitions, and that fixed the issue not only for that partition, but also for the other 3 partitions.