1 Reply Latest reply on Mar 12, 2017 11:05 AM by claude stabile

    Serious issue after SSL certificat renewal / Issue appears when you update a SSL Cert(Since feb 2017)

    claude stabile

      No more secure https

      I have a very serious SSL issue after renewing my SSL certificates(Since Feb 2017, before it was fine). I cannot have a https connection as soon as i import my Go Daddy or Letsencrypt cert.

      I have called Go Daddy but on their side, it is fine, it is app related

      I dig pretty much to understand the issue comparing what is working and what is not

       

      So far as soon as i import my Cert within the console : Usually this works fine Except with new certificates

      screenshot40.png

      I did some trace with openssl :

       

      relevant message i capture with command : openssl s_client -connect webrtc.free-solutions.org:443 -state -debug

      SSL_connect:SSLv3 read server certificate A

      SSL3 alert write:fatal:decrypt error

      SSL_connect:error in SSLv3 read server key exchange B

      SSL_connect:error in SSLv3 read server key exchange B

      140353089410976:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:

      140353089410976:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:

      140353089410976:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1833:

       

      I have updated all packages including OS, java, compil of openssl, all to latest version but no sucess, still no https so my site is down, worse scenario

       

      Technical configuration :

      OS : CentOS Linux release 7.3.1611 (Core)

      Java : java version "1.8.0_121"

      Openfire : 4.1.3

      openSSL : OpenSSL 1.1.0e  16 Feb 2017

       

      I made a detailed comparison of my 2 Openfires, test.free-solutions.org (Certificate 6 Jan 2017, All OKI still work); server webrtc.free-solutions.org : https : KO

      See PDF attached for a detailled SSL analysis

       

      Attachements :

      • WORKS FINE(Not renewd yet) CompleteSSL Server Test_ test.free-solutions_ALLOKI_Oldcert.pdf 
      • DOES NOT WORK : SSL-KO webrtc.free-solutions_certificate_renewed.pdf

       

      Questions :

      • Is there any applicable workarround or suggestion to fix this ? / I am totally stuck & down
      • Do you face same problem ? I saw while googling several similar issues on other packages
      • do i need a signed DSA cert now ? it was working without till renewal

       

      Scope : Not sure if i am the only case out there, potentially a big problem for many of us. No more https after cert exp, that the risk

        • Re: Serious issue after SSL certificat renewal / Issue appears when you update a SSL Cert(Since feb 2017)
          claude stabile

          1-Recreate new private key2048

          openssl genrsa -des3 -out private_webrtc4Godaddy.pem 2048

          Extract public key from Private file

          openssl rsa -in private_webrtc4Godaddy.pem private_webrtc4Godaddy.pem -outform PEM -pubout -out public_webrtc4Godaddy.

          pem.pem
          We have now these 2 files

          -rw------- 1 root root 1751 Mar 11 22:59 private_webrtc4Godaddy.pem
          -rw-r--r-- 1 root root  451 Mar 11 23:02 public_webrtc4Godaddy.pem.pem

          2-Create a new 20148 keystore

          mv keystore keystore.ori

          keytool -genkey -alias example.com -keyalg RSA -keysize 2048 -keystore keystore

          Generate CSR to send to GoDaddy

          Generate CSR :

          -bash-4.2$ keytool -genkey -alias example.com -keyalg RSA -keysize 2048 -keystore keystore
          3Send CSR to Godaddy
          When cert is received and Signed
          Connect to Go Daddy and download your cert (Choose Other in drop downn list at download)
          Concatenate files gd_bundle.crt with ######.crt into a file that contain all crt delivered (4 signatures)
          cat gd_bundle.crt > gdAll.txt
          cat ######.crt >> gdAll.txt

          4-Install in Openfire Console :

          Cut and paste your priv Key (example.pem) Generated in top windows
          Cut and paste gdAll.txt at bottom windows

          screenshot3.png



          Validate, cert should be green

          screenshot2.png



          5-Restart Openfire
          Check https connections on port 9091 / console https
          Check https via SSL Server Test (Powered by Qualys SSL Labs)

          What probably fixe this issue : (New a fresh private key)

          • Upgrade openSSL to OpenSSL 1.1.0e
          • Regenerate a new private key 2048
          • Probably connected to french Char "à"  in my company name

           

          my SSL Lab test : SSL Server Test: webrtc.free-solutions.org (Powered by Qualys SSL Labs)