AnsweredAssumed Answered

Serious issue after SSL certificat renewal / Issue appears when you update a SSL Cert(Since feb 2017)

Question asked by claude stabile on Mar 8, 2017
Latest reply on Mar 12, 2017 by claude stabile

No more secure https

I have a very serious SSL issue after renewing my SSL certificates(Since Feb 2017, before it was fine). I cannot have a https connection as soon as i import my Go Daddy or Letsencrypt cert.

I have called Go Daddy but on their side, it is fine, it is app related

I dig pretty much to understand the issue comparing what is working and what is not


So far as soon as i import my Cert within the console : Usually this works fine Except with new certificates


I did some trace with openssl :


relevant message i capture with command : openssl s_client -connect -state -debug

SSL_connect:SSLv3 read server certificate A

SSL3 alert write:fatal:decrypt error

SSL_connect:error in SSLv3 read server key exchange B

SSL_connect:error in SSLv3 read server key exchange B

140353089410976:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:

140353089410976:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:

140353089410976:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1833:


I have updated all packages including OS, java, compil of openssl, all to latest version but no sucess, still no https so my site is down, worse scenario


Technical configuration :

OS : CentOS Linux release 7.3.1611 (Core)

Java : java version "1.8.0_121"

Openfire : 4.1.3

openSSL : OpenSSL 1.1.0e  16 Feb 2017


I made a detailed comparison of my 2 Openfires, (Certificate 6 Jan 2017, All OKI still work); server : https : KO

See PDF attached for a detailled SSL analysis


Attachements :

  • WORKS FINE(Not renewd yet) CompleteSSL Server Test_ 


Questions :

  • Is there any applicable workarround or suggestion to fix this ? / I am totally stuck & down
  • Do you face same problem ? I saw while googling several similar issues on other packages
  • do i need a signed DSA cert now ? it was working without till renewal


Scope : Not sure if i am the only case out there, potentially a big problem for many of us. No more https after cert exp, that the risk