Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · 4 . . . 5 · Next

AuthorMessage
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42662 - Posted: 30 May 2020, 11:14:38 UTC
Last modified: 30 May 2020, 11:34:25 UTC

Got this error with Rosetta and LHC 11:01am UTC 30th May 2020. On all my (Windows 10) machines, while requesting work.
"Peer certificate cannot be authenticated with given CA certificates"
But Universe and Einstein and Milkyway are ok.

Any ideas what screwed up? My computer? Both Rosetta and LHC at once? Boinc in general?
ID: 42662 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 57
Credit: 11,787,283
RAC: 30,382
Message 42664 - Posted: 30 May 2020, 12:00:23 UTC
Last modified: 30 May 2020, 12:06:43 UTC

I am also getting this.
I think LHC@home's webcerts might of expired.
:C
ID: 42664 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42665 - Posted: 30 May 2020, 12:03:30 UTC - in response to Message 42664.  

I also getting this.
I think LHC@home's webcerts might of expired.
:C


I just thought it odd that Rosetta had the same problem at precisely the same time. I guess they bought them from the same place :-)

I don't know much about certificates. I've seen my Opera browser get annoyed about them before, but other browsers aren't so fussy. I assumed Opera didn't allow any leeway but others did. I guess Boinc is equally OCD.
ID: 42665 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 598
Credit: 374,551,738
RAC: 32,197
Message 42667 - Posted: 30 May 2020, 12:11:45 UTC

I also see the same, it could be the BOINC certificate expired?
ID: 42667 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42669 - Posted: 30 May 2020, 12:14:40 UTC - in response to Message 42667.  

I also see the same, it could be the BOINC certificate expired?


But my other three projects (Universe, Milkyway, Einstein) are ok. Only Rosetta and LHC failed.

How do these certificates work? Explain like I'm five (T.M. Reddit)
ID: 42669 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 57
Credit: 11,787,283
RAC: 30,382
Message 42670 - Posted: 30 May 2020, 12:24:52 UTC - in response to Message 42669.  
Last modified: 30 May 2020, 12:25:52 UTC

I also see the same, it could be the BOINC certificate expired?


But my other three projects (Universe, Milkyway, Einstein) are ok. Only Rosetta and LHC failed.

How do these certificates work? Explain like I'm five (T.M. Reddit)


Is basically a file with a cryptographic key in in that says hey you can trust me from xx/xx/xxxx to xx/xx/xxxx
if those dates go out of range you can no longer trust that connection and in this day and age most things reject that as insecure.

Edit:

Here is a much better non five year old explanation.
https://www.entrustdatacard.com/pages/ssl
ID: 42670 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42672 - Posted: 30 May 2020, 12:38:03 UTC - in response to Message 42670.  
Last modified: 30 May 2020, 12:43:39 UTC

Is basically a file with a cryptographic key in in that says hey you can trust me from xx/xx/xxxx to xx/xx/xxxx
if those dates go out of range you can no longer trust that connection and in this day and age most things reject that as insecure.

Edit:

Here is a much better non five year old explanation.
https://www.entrustdatacard.com/pages/ssl


I see, thanks. I've only ever had it with Opera browser before, it moaned about my own ISP's webpage when I was trying to use their forum. But it did let me continue "at my own risk". And other browsers didn't even say anything at all, I assume some have a leeway, like a cop letting you go 31 in a 30 limit.

I take it there's some kind of central place that issues these things, and that's what my computer checks it against to make sure it's really the page I think it is? Otherwise surely Mr Smith could make a fake banking page, and just hand me a "certificate", like someone coming to my door and saying "I'm a policeman and here's my badge" - I can't trust him unless I call the police station and they can confirm that particular badge wasn't just printed off by a thief's inkjet.
ID: 42672 · Report as offensive     Reply Quote
computezrmle
Volunteer moderator
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 15 Jun 08
Posts: 1479
Credit: 79,579,867
RAC: 80,415
Message 42675 - Posted: 30 May 2020, 13:14:54 UTC

You may check if your BOINC client uses the most recent CA certificates.
Locate the file ca-bundle.crt in your BOINC directory and check if the timestamp in line 4 is at least:
## Certificate data from Mozilla as of: Fri Jan 26 21:30:21 2018 GMT

If not ca-bundle.crt has to be replaced with a version from a recent BOINC client.

The file can also be downloaded from:
https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt
ID: 42675 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42676 - Posted: 30 May 2020, 13:17:51 UTC - in response to Message 42675.  
Last modified: 30 May 2020, 13:21:32 UTC

You may check if your BOINC client uses the most recent CA certificates.
Locate the file ca-bundle.crt in your BOINC directory and check if the timestamp in line 4 is at least:
## Certificate data from Mozilla as of: Fri Jan 26 21:30:21 2018 GMT

If not ca-bundle.crt has to be replaced with a version from a recent BOINC client.

The file can also be downloaded from:
https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt


Mine (all 6 computers) have precisely that date in there. But they will not connect to LHC or Rosetta. Universe, Milkyway, Einstein are all fine.

It was working overnight, as I have a huge number of Rosettas downloaded that weren't there when I went to bed, but as of about 11am GMT they refuse to connect.
ID: 42676 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 57
Credit: 11,787,283
RAC: 30,382
Message 42677 - Posted: 30 May 2020, 13:42:23 UTC

I've got the same date in there as well.
ID: 42677 · Report as offensive     Reply Quote
Jim1348

Send message
Joined: 15 Nov 14
Posts: 449
Credit: 12,186,323
RAC: 6,368
Message 42678 - Posted: 30 May 2020, 13:42:36 UTC - in response to Message 42676.  

There are complaints on Rosetta. I can't upload either, just in the past hour or so.
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=6893
ID: 42678 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42679 - Posted: 30 May 2020, 13:50:15 UTC - in response to Message 42678.  

There are complaints on Rosetta. I can't upload either, just in the past hour or so.
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=6893


Yip, and my thread there: https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006

Hopefully somebody somewhere will work out what's wrong. Not knowing anything about SSL, I don't know where it's expired.
ID: 42679 · Report as offensive     Reply Quote
Erich56

Send message
Joined: 18 Dec 15
Posts: 1284
Credit: 23,167,310
RAC: 2,295
Message 42680 - Posted: 30 May 2020, 14:14:33 UTC
Last modified: 30 May 2020, 14:15:52 UTC

same problem here, with LHC and Rosetta. GPUGRID and WCG are okay.

When opening the file ca-bundle.crt it shows a certificate valid from 1.9.1998 - 28.1.2028.
Besides, line 4 says "Certificate data from Mozilla as of: Fri Jan 26 21:30:21 2018 GMT"
ID: 42680 · Report as offensive     Reply Quote
nairb

Send message
Joined: 1 May 07
Posts: 12
Credit: 1,134,823
RAC: 82
Message 42681 - Posted: 30 May 2020, 14:27:09 UTC

Same issue here. I thought LHC had lent some server capacity to Rosetta for the COVID-19 project. Maybe this has messed something up...
ID: 42681 · Report as offensive     Reply Quote
nairb

Send message
Joined: 1 May 07
Posts: 12
Credit: 1,134,823
RAC: 82
Message 42682 - Posted: 30 May 2020, 14:28:26 UTC - in response to Message 42680.  

same problem here, with LHC and Rosetta. GPUGRID and WCG are okay.

When opening the file ca-bundle.crt it shows a certificate valid from 1.9.1998 - 28.1.2028.
Besides, line 4 says "Certificate data from Mozilla as of: Fri Jan 26 21:30:21 2018 GMT"



Open the ca-bundle.ca with notepad or similar then its line 4
ID: 42682 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 598
Credit: 374,551,738
RAC: 32,197
Message 42683 - Posted: 30 May 2020, 14:41:47 UTC

I assume then it's the server side certificate that expired for these projects. Since all of our client side certs are valid til 2028
ID: 42683 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42684 - Posted: 30 May 2020, 15:06:21 UTC - in response to Message 42683.  

I assume then it's the server side certificate that expired for these projects. Since all of our client side certs are valid til 2028


Then why can people use Mac and Linux ok? Apparently only Windows is refusing.
ID: 42684 · Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 27 Oct 07
Posts: 185
Credit: 3,297,428
RAC: 0
Message 42685 - Posted: 30 May 2020, 15:08:52 UTC

Add NumberFields@home as another project affected.

Unfortunately, opening ca-bundle.crt in Windows only shows the details for the first of the 133 certificates in the bundle. I've been through them all, and - although a few of them have expired - none expired this morning.

Although the COMODO certificate authenticating this website, and the InCommon certificate authenticating the NumberFields and Rosetta websites, all seem to be in order, I've seen a suggestion on the web that certificates may be rejected as expired in some cases when a newer certificate is issued (even if the old one appears still to have time left to run before expiry).
ID: 42685 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 598
Credit: 374,551,738
RAC: 32,197
Message 42687 - Posted: 30 May 2020, 15:18:16 UTC - in response to Message 42684.  

OK, that doesn't make any sense then, maybe the certificate was expired early due to some security problem? I don't think there is much we can do on the client side though?
ID: 42687 · Report as offensive     Reply Quote
Peter Hucker

Send message
Joined: 12 Aug 06
Posts: 202
Credit: 748,769
RAC: 9,529
Message 42688 - Posted: 30 May 2020, 15:19:24 UTC - in response to Message 42685.  

Add NumberFields@home as another project affected.

Unfortunately, opening ca-bundle.crt in Windows only shows the details for the first of the 133 certificates in the bundle. I've been through them all, and - although a few of them have expired - none expired this morning.

Although the COMODO certificate authenticating this website, and the InCommon certificate authenticating the NumberFields and Rosetta websites, all seem to be in order, I've seen a suggestion on the web that certificates may be rejected as expired in some cases when a newer certificate is issued (even if the old one appears still to have time left to run before expiry).


Just noticed this in Opera browser on Windows 10:
This discussion is fine, but this thread: https://lhcathome.cern.ch/lhcathome/forum_thread.php?id=5387
Which has images, specifically http://cms-results.web.cern.ch/cms-results/public-results/publications/SMP-15-003/CMS-SMP-15-003_Figure_006-a.png
Shows: https://www.dropbox.com/s/6qjbvllcsgslvrt/unsecure.jpg?dl=0
ID: 42688 · Report as offensive     Reply Quote
1 · 2 · 3 · 4 . . . 5 · Next

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates


©2020 CERN