DICOM TLS between Orthanc and pynetDicom fails with error ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL error

I am trying to create a secure communication between Orthanc(client on my local (Mac)) and pynetDicom(server on my EC2). For this I obtained X.509 certificate from Lets Encrypt. I have added the certs to pynetDicom like this in the pythons ssl context

# Set up TLS
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE, password=None)

# If a certificate chain file is needed
context.load_verify_locations(cafile=CHAIN_FILE)

ae.tls_server_context = context

assoc = ae.start_server(
    (NODE_IP, NODE_PORT),
    ae_title=AE_TITLE,
    evt_handlers=handlers,
    ssl_context=ae.tls_server_context  # Enable TLS
)

I tried testing the TLS connection with openssl and it works with -partialChain tag, with an error at the end: openssl s_client -connect pacs.avendahealth.com:443 -CAfile /Users/sumitjanawlekar/pynetDicom_cert/fullchain.pem -partial_chain with

 Start Time: 1695710162
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:

Without the partialChain tag it fails with error

Start Time: 1695710953
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: no
---
80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:

When I try sending Dicom data from Orthanc, it fails with this reason.

ErrorCode: 9
ErrorDescription: Error in the network protocol
ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL error

I am new to this, how can I make this work?

PSA: the connection works fine as I turn off TLS. Also the request flows like this DICOM Client → aws network load balancer (NLB) → Ec2(pynetDicom running here). I even tried terminating TLS at the NLB level, still same error

I have tried TLS termination, encryption at pynetDicom level, I even tried local setup (client and server both as Orthanc running on local), testing with tools like openssl etc. All did not work.

Hi ! (word used as a friendly greeting or to attract attention)

From what I understand, your server is using pynetdicom and you always get an error with OpenSsl (with or without the --partialChain).

Since Orthanc is using OpenSsl, there is no way Orthanc would work if OpenSsl does not work without any option (Orthanc will use the default OpenSsl options). So, it seems your pynetdicom server does not implement the TLS correctly and I would ask for support on their side first.

Best regards,

Alain.