Почему возникает исключение в http-запросе на стороне банка к моему ресурсу heroku с ssl-сертификатом от Let's encrypt

Question

Что не так с сертификатом ssl для https://platforma.openshkola.ru? Он не самоподписан, но ... Журналы из банковской java-службы, прикрепленные к их обратному вызову на мой ресурс.

2019-11-07 18:02:57,096 [callback-3] ERROR r.b.p.c.c.CallbackExecutor:49 - Error while sending first callback CallbackTO{merchantId=1579515003, merchantName='mentalplatform', url='https://platforma.openshkola.ru/letthespecificapibethesecret', params='{orderNumber=XXX, mdOrder=XXX, operation=deposited, status=1}', method='GET', successfulCode=null, successfulResponse='null', customQueueName='null'} javax.net.ssl.SSLException: Received fatal alert: internal_error

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)

at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)

at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)

at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:185)

at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:369)

at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:415)

at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)

at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)

at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)

at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)

at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)

at ru.bpc.payment.core.callback.HttpCallbackSender.send(HttpCallbackSender.java:96)

at ru.bpc.payment.core.callback.CallbackExecutor.lambda$0(CallbackExecutor.java:46)

at ru.bpc.payment.service.callback.PaymentCallbackService.lambda$1(PaymentCallbackService.java:97)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)

выходной локоть есть:

curl -kvI https://platforma.openshkola.ru
* About to connect() to platforma.openshkola.ru port 443 (#0)
*   Trying 52.210.255.158...
* Connected to platforma.openshkola.ru (52.210.255.158) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=platforma.openshkola.ru
*   start date: Oct 10 20:35:30 2019 GMT
*   expire date: Jan 08 20:35:30 2020 GMT
*   common name: platforma.openshkola.ru
*   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: platforma.openshkola.ru
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Cowboy
Server: Cowboy
< Connection: keep-alive
Connection: keep-alive
< Expires: 0
Expires: 0
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< X-Xss-Protection: 1; mode=block
X-Xss-Protection: 1; mode=block
< Pragma: no-cache
Pragma: no-cache
< Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: strict-origin-when-cross-origin
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:; frame-src 'self' https://www.youtube.com
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:; frame-src 'self' https://www.youtube.com
< Date: Fri, 08 Nov 2019 11:26:38 GMT
Date: Fri, 08 Nov 2019 11:26:38 GMT
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< Content-Language: en-US
Content-Language: en-US
< X-Frame-Options: DENY
X-Frame-Options: DENY
< Last-Modified: Thu, 07 Nov 2019 13:11:45 GMT
Last-Modified: Thu, 07 Nov 2019 13:11:45 GMT
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Feature-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'
Feature-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'
< Content-Length: 6260
Content-Length: 6260
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Via: 1.1 vegur
Via: 1.1 vegur

< 
* Connection #0 to host platforma.openshkola.ru left intact