No more secure https
I have a very serious SSL issue after renewing my SSL certificates(Since Feb 2017, before it was fine). I cannot have a https connection as soon as i import my Go Daddy or Letsencrypt cert.
I have called Go Daddy but on their side, it is fine, it is app related
I dig pretty much to understand the issue comparing what is working and what is not
So far as soon as i import my Cert within the console : Usually this works fine Except with new certificates
I did some trace with openssl :
relevant message i capture with command : openssl s_client -connect webrtc.free-solutions.org:443 -state -debug
SSL_connect:SSLv3 read server certificate A
SSL3 alert write:fatal:decrypt error
SSL_connect:error in SSLv3 read server key exchange B
SSL_connect:error in SSLv3 read server key exchange B
140353089410976:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
140353089410976:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:
140353089410976:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1833:
I have updated all packages including OS, java, compil of openssl, all to latest version but no sucess, still no https so my site is down, worse scenario
Technical configuration :
OS : CentOS Linux release 7.3.1611 (Core)
Java : java version “1.8.0_121”
Openfire : 4.1.3
openSSL : OpenSSL 1.1.0e 16 Feb 2017
I made a detailed comparison of my 2 Openfires, test.free-solutions.org (Certificate 6 Jan 2017, All OKI still work); server webrtc.free-solutions.org : https : KO
See PDF attached for a detailled SSL analysis
**Attachements : **
- WORKS FINE(Not renewd yet) CompleteSSL Server Test_ test.free-solutions_ALLOKI_Oldcert.pdf
- DOES NOT WORK : SSL-KO webrtc.free-solutions_certificate_renewed.pdf
Questions :
- Is there any applicable workarround or suggestion to fix this ? / I am totally stuck & down
- Do you face same problem ? I saw while googling several similar issues on other packages
- This look similar to this issue for radius pkg
- do i need a signed DSA cert now ? it was working without till renewal
Scope : Not sure if i am the only case out there, potentially a big problem for many of us. No more https after cert exp, that the risk
SSL-KO webrtc.free-solutions_certificate_renewed.pdf (174209 Bytes)
SSL Server Test_ test.free-solutions_ALLOKI_Oldcert.pdf (173834 Bytes)