DCDT failing to decrypt inbound messages

90 views
Skip to first unread message

lcm...@emrdirect.com

unread,
Feb 28, 2025, 2:21:43 PMFeb 28
to Edge Test Tool (ETT)
Hello ETT Team,

The reports sent back from DCDT for valid cert tests (e.g. D1, D2) are now returning a test "failed" status with the following error in the Processing Message(s): section:
  • ERROR: Unable to decrypt mail MIME message (id=, from=[DIRECTADDRESSREDACTED], to=d...@domain10.dcdt31.healthit.gov) enveloped content (type=application/pkcs7-mime;smime-type=enveloped-data;name="smime.p7m").
Decryption in this setting has been working as expected for years, and the ETT is currently successfully decrypting messages and MDNs sent to the ETT for the other h.1 test scenarios, so the cause of this is unclear. Perhaps the public keys used in the ETT's DCDT certificates were changed but the private keys were not updated?

Thanks.

Kim Poletti

unread,
Feb 28, 2025, 4:21:41 PMFeb 28
to Edge Test Tool (ETT)
Hi - Thanks for reaching out. This has been logged for review and a member of the team will reach out in the near future.

lcm...@emrdirect.com

unread,
Mar 7, 2025, 12:13:52 PMMar 7
to Edge Test Tool (ETT)
FYI, this is still occurring with the DCDT result email messages sent from the new ETT release V4.0.2 this week.
The unable to decrypt error above is still being observed for D1, D2, D9, D14, D17, D18.
Additionally, this week we are also intermittently observing "input too large for RSA cipher" instead of "unable to decrypt" for some of these tests D1, D2, and D14.
Note that we are unable to assess some of the DCDT test outputs because of the separately reported issue with the ETT LDAP servers which is also unresolved at this time.

Kelsey Harper

unread,
Mar 7, 2025, 1:48:48 PMMar 7
to Edge Test Tool (ETT)
We are also running into this issue at the moment. 

D1 and D2 return "input too large for RSA cipher" error. 

D9, D14, D17, and D18 return the "unable to decrypt" error. 

Kelsey Harper

unread,
Mar 19, 2025, 3:02:26 PMMar 19
to Edge Test Tool (ETT)
Hi, any update on when this issue will be fixed? This is one of several SITE issues that are preventing us from testing the h1 criterion. Thanks!

Jeff Snyder

unread,
Mar 21, 2025, 8:54:45 AMMar 21
to Edge Test Tool (ETT)
It looks like the certificates for the D1 and D2 tests (and possibly others) need to be reissued with the new CA. It appears the CA was reissued on Feb 28, 2025, but the certificates for the D1 and D2 tests are both still dated from February 2022.

Braeden Rai

unread,
Mar 25, 2025, 11:15:28 AMMar 25
to Edge Test Tool (ETT)
Hi, are there any updates on this issue?

Kim Poletti

unread,
Mar 25, 2025, 11:40:33 AMMar 25
to Edge Test Tool (ETT)
Hello Braeden,

This is a high priority issue the team is working on. We will keep you updated once it is fixed.

Thank you,
Kim

James Spillman

unread,
Apr 2, 2025, 10:39:20 AMApr 2
to Edge Test Tool (ETT)
DNS domain and address bound certificates have been updated. Can you try the D1 test again? If you haven't already done so you'll need to reinstall the DCDT trust anchor.

Jeff Snyder

unread,
Apr 2, 2025, 2:57:30 PMApr 2
to Edge Test Tool (ETT)
We were able to run tests D1 thru D4 successfully this afternoon.
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages