Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 · Next

AuthorMessage
nairb

Send message
Joined: 1 May 07
Posts: 27
Credit: 2,261,879
RAC: 1,341
Message 42689 - Posted: 30 May 2020, 15:24:10 UTC

I can confirm that Linux (fedora 30) is working fine with no certificate issues. So far anyway on LHC & Rosetta
ID: 42689 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 78
Credit: 54,288,749
RAC: 38,217
Message 42690 - Posted: 30 May 2020, 15:24:24 UTC - in response to Message 42688.  

Add NumberFields@home as another project affected.

Unfortunately, opening ca-bundle.crt in Windows only shows the details for the first of the 133 certificates in the bundle. I've been through them all, and - although a few of them have expired - none expired this morning.

Although the COMODO certificate authenticating this website, and the InCommon certificate authenticating the NumberFields and Rosetta websites, all seem to be in order, I've seen a suggestion on the web that certificates may be rejected as expired in some cases when a newer certificate is issued (even if the old one appears still to have time left to run before expiry).


Just noticed this in Opera browser on Windows 10:
This discussion is fine, but this thread: https://lhcathome.cern.ch/lhcathome/forum_thread.php?id=5387
Which has images, specifically http://cms-results.web.cern.ch/cms-results/public-results/publications/SMP-15-003/CMS-SMP-15-003_Figure_006-a.png
Shows: https://www.dropbox.com/s/6qjbvllcsgslvrt/unsecure.jpg?dl=0


I can see the images just fine however I am getting a big not secure icon in the top left of chrome.
ID: 42690 · Report as offensive     Reply Quote
Jim1348

Send message
Joined: 15 Nov 14
Posts: 602
Credit: 24,371,321
RAC: 0
Message 42691 - Posted: 30 May 2020, 15:27:43 UTC - in response to Message 42689.  

I can confirm that Linux (fedora 30) is working fine with no certificate issues. So far anyway on LHC & Rosetta

Yes, I am OK too uploading to Rosetta with Ubuntu 18.04.4.
It is only my Windows 7 64-bit machine that is still stuck.
ID: 42691 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 817
Credit: 663,162,004
RAC: 198,706
Message 42692 - Posted: 30 May 2020, 15:41:54 UTC - in response to Message 42690.  
Last modified: 30 May 2020, 15:47:05 UTC

but the web link is http so by definition it wouldn't be secure :)

if you link to https then it's all good.

There is an expired cert that walli reports so it so a new build of BOINC needs to be made with updated certs.

I made my own updated cert and it's working fine now it would appear.
ID: 42692 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 429
Credit: 6,545,626
RAC: 42,180
Message 42693 - Posted: 30 May 2020, 15:46:23 UTC - in response to Message 42692.  

but the web link is http so by definition it wouldn't be secure :)

if you link to https then it's all good.

There is an expired cert that walli reports so it so a new build of BOINC needs to be made with updated certs.


It needs to be rebuilt? Can't we just all get a new certificate file? I guess a new build would come out as an autoupdate to those who don't know about this?
ID: 42693 · Report as offensive     Reply Quote
SootAndShale

Send message
Joined: 7 Apr 20
Posts: 2
Credit: 707,402
RAC: 0
Message 42694 - Posted: 30 May 2020, 15:47:14 UTC

No problems for me with Ubuntu running on a Raspberry Pi but Rosetta and LHC are both giving me certificate errors on Windows 10. I've even tried copying Linux's ca-certificates.crt and using it in the place of Window's ca-bundle.crt but it still errored.
Not sure why Windows is erroring with the same certificates, but Linux isn't.
ID: 42694 · Report as offensive     Reply Quote
Erich56

Send message
Joined: 18 Dec 15
Posts: 1725
Credit: 108,193,140
RAC: 82,877
Message 42695 - Posted: 30 May 2020, 15:47:33 UTC - in response to Message 42692.  

There is an expired cert that walli reports so it so a new build of BOINC needs to be made with updated certs.
Why, though, do other projects within BOINC work without problems, like GPUGRID and WCG ?
ID: 42695 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 817
Credit: 663,162,004
RAC: 198,706
Message 42696 - Posted: 30 May 2020, 15:48:24 UTC - in response to Message 42693.  

I guess that OK for some techy people, but not for average person.

You can do what I did based on the discussion at the main boinc website.
ID: 42696 · Report as offensive     Reply Quote
SootAndShale

Send message
Joined: 7 Apr 20
Posts: 2
Credit: 707,402
RAC: 0
Message 42697 - Posted: 30 May 2020, 15:52:10 UTC

This workaround on the Rosetta forum has fixed my Windows problems:

https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882
ID: 42697 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 817
Credit: 663,162,004
RAC: 198,706
Message 42698 - Posted: 30 May 2020, 15:58:21 UTC - in response to Message 42695.  

They don't use https, so they aren't effected.
ID: 42698 · Report as offensive     Reply Quote
Toby Broom
Volunteer moderator

Send message
Joined: 27 Sep 08
Posts: 817
Credit: 663,162,004
RAC: 198,706
Message 42699 - Posted: 30 May 2020, 16:00:15 UTC - in response to Message 42694.  

I can only assume that windows is more strict with applying the times from certs? Although I find that hard to believe.

I can imagine at 00:00 the Linux host will also fail over?
ID: 42699 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 429
Credit: 6,545,626
RAC: 42,180
Message 42700 - Posted: 30 May 2020, 16:12:31 UTC - in response to Message 42698.  

They don't use https, so they aren't effected.


Universe does, but that continued to work.
ID: 42700 · Report as offensive     Reply Quote
nairb

Send message
Joined: 1 May 07
Posts: 27
Credit: 2,261,879
RAC: 1,341
Message 42701 - Posted: 30 May 2020, 16:22:23 UTC

Seems to be fixed with the workaround on
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

LHC & Rosetta both seem to work. Other projects still work.
ID: 42701 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 78
Credit: 54,288,749
RAC: 38,217
Message 42702 - Posted: 30 May 2020, 16:56:45 UTC - in response to Message 42701.  

Seems to be fixed with the workaround on
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

LHC & Rosetta both seem to work. Other projects still work.


Can confirm that this works as well.

Hopefully the BOINC team will be able to get a new build out with the new certs as well before everything breaks.
ID: 42702 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 429
Credit: 6,545,626
RAC: 42,180
Message 42703 - Posted: 30 May 2020, 17:15:18 UTC - in response to Message 42702.  

Seems to be fixed with the workaround on
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

LHC & Rosetta both seem to work. Other projects still work.


Can confirm that this works as well.

Hopefully the BOINC team will be able to get a new build out with the new certs as well before everything breaks.


Does Boinc autoupdate? Otherwise 90% of users won't know what's wrong.
ID: 42703 · Report as offensive     Reply Quote
computezrmle
Volunteer moderator
Volunteer developer
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 15 Jun 08
Posts: 2451
Credit: 233,954,874
RAC: 154,124
Message 42704 - Posted: 30 May 2020, 17:19:53 UTC

According to Sectigo's knowledge base (https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT) there shouldn't be an issue if one of the following CA certs is available:
USERTrust RSA Certification Authority: https://crt.sh/?id=1199354
COMODO RSA Certification Authority: https://crt.sh/?id=1720081

Both certs have been issued 2010 and are already included in BOINC's ca-bundle.crt from 2018:
https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt

Since BOINC uses curl to send out HTTP requests and curl needs access to the cerificate list it should be checked if for some reason there are remains from older installations (BOINC/curl) that point to outdated certificate lists.
ID: 42704 · Report as offensive     Reply Quote
Erich56

Send message
Joined: 18 Dec 15
Posts: 1725
Credit: 108,193,140
RAC: 82,877
Message 42705 - Posted: 30 May 2020, 17:21:58 UTC - in response to Message 42703.  

Does Boinc autoupdate? Otherwise 90% of users won't know what's wrong.
I don't think that BOINC updates automatically. Once a new version is published, everyone will have to install it manually. At least that's what I guess.

And yes, most of the users won't know what's wrong all of a sudden, unless they start digging into all the forum postings at LHC and/or Rosetta :-(
ID: 42705 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 429
Credit: 6,545,626
RAC: 42,180
Message 42706 - Posted: 30 May 2020, 17:31:18 UTC - in response to Message 42705.  

Does Boinc autoupdate? Otherwise 90% of users won't know what's wrong.
I don't think that BOINC updates automatically. Once a new version is published, everyone will have to install it manually. At least that's what I guess.

And yes, most of the users won't know what's wrong all of a sudden, unless they start digging into all the forum postings at LHC and/or Rosetta :-(


If there's no autoupdate, I think this warrants an email to everyone from the affected projects (presumably a vast number of people have consented to emails from them in preferences). People may not see a notice within Boinc. A lot of folk not knowing what's happened may assume the projects are down and go to different ones.
ID: 42706 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 78
Credit: 54,288,749
RAC: 38,217
Message 42708 - Posted: 30 May 2020, 19:55:28 UTC

Alot of people are about to find out about this the hard way
turns out alot of people were using this cert provider.

https://twitter.com/sleevi_/status/1266647545675210753
ID: 42708 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 429
Credit: 6,545,626
RAC: 42,180
Message 42709 - Posted: 30 May 2020, 20:05:57 UTC

I don't actually recall the internet being any unsafer before everyone started this SSL stuff.
ID: 42709 · Report as offensive     Reply Quote
Previous · 1 · 2 · 3 · 4 · 5 · Next

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates


©2024 CERN