Serious issue after SSL certificat renewal / Issue appears when you update a SSL Cert(Since feb 2017)

No more secure https

I have a very serious SSL issue after renewing my SSL certificates(Since Feb 2017, before it was fine). I cannot have a https connection as soon as i import my Go Daddy or Letsencrypt cert.

I have called Go Daddy but on their side, it is fine, it is app related

I dig pretty much to understand the issue comparing what is working and what is not

So far as soon as i import my Cert within the console : Usually this works fine Except with new certificates

I did some trace with openssl :

relevant message i capture with command : openssl s_client -connect webrtc.free-solutions.org:443 -state -debug

SSL_connect:SSLv3 read server certificate A

SSL3 alert write:fatal:decrypt error

SSL_connect:error in SSLv3 read server key exchange B

SSL_connect:error in SSLv3 read server key exchange B

140353089410976:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:

140353089410976:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:

140353089410976:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1833:

I have updated all packages including OS, java, compil of openssl, all to latest version but no sucess, still no https so my site is down, worse scenario

Technical configuration :

OS : CentOS Linux release 7.3.1611 (Core)

Java : java version “1.8.0_121”

Openfire : 4.1.3

openSSL : OpenSSL 1.1.0e 16 Feb 2017

I made a detailed comparison of my 2 Openfires, test.free-solutions.org (Certificate 6 Jan 2017, All OKI still work); server webrtc.free-solutions.org : https : KO

See PDF attached for a detailled SSL analysis

**Attachements : **

  • WORKS FINE(Not renewd yet) CompleteSSL Server Test_ test.free-solutions_ALLOKI_Oldcert.pdf
  • DOES NOT WORK : SSL-KO webrtc.free-solutions_certificate_renewed.pdf

Questions :

  • Is there any applicable workarround or suggestion to fix this ? / I am totally stuck & down
  • Do you face same problem ? I saw while googling several similar issues on other packages
    • This look similar to this issue for radius pkg
  • do i need a signed DSA cert now ? it was working without till renewal

Scope : Not sure if i am the only case out there, potentially a big problem for many of us. No more https after cert exp, that the risk
SSL-KO webrtc.free-solutions_certificate_renewed.pdf (174209 Bytes)
SSL Server Test_ test.free-solutions_ALLOKI_Oldcert.pdf (173834 Bytes)

1-Recreate new private key2048

openssl genrsa -des3 -out private_webrtc4Godaddy.pem 2048

Extract public key from Private file

openssl rsa -in private_webrtc4Godaddy.pem private_webrtc4Godaddy.pem -outform PEM -pubout -out public_webrtc4Godaddy.

pem.pem
We have now these 2 files

-rw------- 1 root root 1751 Mar 11 22:59 private_webrtc4Godaddy.pem
-rw-r–r-- 1 root root 451 Mar 11 23:02 public_webrtc4Godaddy.pem.pem

2-Create a new 20148 keystore

mv keystore keystore.ori

keytool -genkey -alias example.com -keyalg RSA -keysize 2048 -keystore keystore

Generate CSR to send to GoDaddy

Generate CSR :

-bash-4.2$ keytool -genkey -alias example.com -keyalg RSA -keysize 2048 -keystore keystore
3Send CSR to Godaddy
When cert is received and Signed
Connect to Go Daddy and download your cert (Choose Other in drop downn list at download)
Concatenate files gd_bundle.crt with ######.crt into a file that contain all crt delivered (4 signatures)
cat gd_bundle.crt > gdAll.txt
cat ######.crt >> gdAll.txt

4-Install in Openfire Console :

Cut and paste your priv Key (example.pem) Generated in top windows
Cut and paste gdAll.txt at bottom windows

screenshot3.png

Validate, cert should be green

screenshot2.png


5-Restart Openfire
Check https connections on port 9091 / console https
Check https via SSL Server Test (Powered by Qualys SSL Labs)

What probably fixe this issue : (New a fresh private key)

  • Upgrade openSSL to OpenSSL 1.1.0e
  • Regenerate a new private key 2048
  • Probably connected to french Char “à” in my company name

my SSL Lab test : SSL Server Test: webrtc.free-solutions.org (Powered by Qualys SSL Labs)