diff --git a/CHANGES b/CHANGES
index 5e02926a31..33bab64144 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
+			error queue was not logged. [GL #476]
+
 5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
 			ignored for zones which were not yet loaded or
 			transferred. [GL #468]
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index c6d641edeb..a24aba0e27 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -388,7 +388,7 @@ dst__openssl_destroy(void) {
 static isc_result_t
 toresult(isc_result_t fallback) {
 	isc_result_t result = fallback;
-	unsigned long err = ERR_get_error();
+	unsigned long err = ERR_peek_error();
 #if defined(HAVE_OPENSSL_ECDSA) && \
     defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
 	int lib = ERR_GET_LIB(err);