I am generating the pkpass files via an AWS Lambda function. So far I have been using the certificate.pem, private.key and wwdr.pem certificates with wallet-3kpy(https://github.com/pretix/wallet-py3k) library. Now, after a year, the certificate needs to be renewed. So I went through the process of generating the .p12 file in order to extract the certificate.pem and private.key out of it. The wwdr.pem I did not touch. The generation of the pkpass now fails with DecryptFail messages from openssl. I have provided openssl11 to the lambda function via a dedicated lambda layer. And for the new pkpass I used a different openssl version. Could that be the reason?
It is possible that the key in your .p12 file doesn't match the certificate.
To check:
Extract the certificate and key (replace file.p12 with your .p12 filename). :
openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -nocerts -out privatekey.pem
Get the modulus for each:
openssl rsa -noout -modulus -in privately.pem | openssl md5
openssl x509 -modulus -noout -in certificate.pem | openssl md5
If they don't match, then you have the wrong key for your certificate.