LHC@home

I can confirm that Linux (fedora 30) is working fine with no certificate issues. So far anyway on LHC & Rosetta

Add NumberFields@home as another project affected.

Unfortunately, opening ca-bundle.crt in Windows only shows the details for the first of the 133 certificates in the bundle. I've been through them all, and - although a few of them have expired - none expired this morning.

Although the COMODO certificate authenticating this website, and the InCommon certificate authenticating the NumberFields and Rosetta websites, all seem to be in order, I've seen a suggestion on the web that certificates may be rejected as expired in some cases when a newer certificate is issued (even if the old one appears still to have time left to run before expiry).

Just noticed this in Opera browser on Windows 10:
This discussion is fine, but this thread: https://lhcathome.cern.ch/lhcathome/forum_thread.php?id=5387
Which has images, specifically http://cms-results.web.cern.ch/cms-results/public-results/publications/SMP-15-003/CMS-SMP-15-003_Figure_006-a.png
Shows: https://www.dropbox.com/s/6qjbvllcsgslvrt/unsecure.jpg?dl=0

I can see the images just fine however I am getting a big not secure icon in the top left of chrome.

I can confirm that Linux (fedora 30) is working fine with no certificate issues. So far anyway on LHC & Rosetta

Yes, I am OK too uploading to Rosetta with Ubuntu 18.04.4.
It is only my Windows 7 64-bit machine that is still stuck.

but the web link is http so by definition it wouldn't be secure :)

if you link to https then it's all good.

There is an expired cert that walli reports so it so a new build of BOINC needs to be made with updated certs.

I made my own updated cert and it's working fine now it would appear.

but the web link is http so by definition it wouldn't be secure :)

if you link to https then it's all good.

There is an expired cert that walli reports so it so a new build of BOINC needs to be made with updated certs.

It needs to be rebuilt? Can't we just all get a new certificate file? I guess a new build would come out as an autoupdate to those who don't know about this?

---

No problems for me with Ubuntu running on a Raspberry Pi but Rosetta and LHC are both giving me certificate errors on Windows 10. I've even tried copying Linux's ca-certificates.crt and using it in the place of Window's ca-bundle.crt but it still errored.
Not sure why Windows is erroring with the same certificates, but Linux isn't.

There is an expired cert that walli reports so it so a new build of BOINC needs to be made with updated certs.

Why, though, do other projects within BOINC work without problems, like GPUGRID and WCG ?

I guess that OK for some techy people, but not for average person.

You can do what I did based on the discussion at the main boinc website.

This workaround on the Rosetta forum has fixed my Windows problems:

https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

They don't use https, so they aren't effected.

I can only assume that windows is more strict with applying the times from certs? Although I find that hard to believe.

I can imagine at 00:00 the Linux host will also fail over?

They don't use https, so they aren't effected.

Universe does, but that continued to work.

---

Seems to be fixed with the workaround on
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

LHC & Rosetta both seem to work. Other projects still work.

Seems to be fixed with the workaround on
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

LHC & Rosetta both seem to work. Other projects still work.

Can confirm that this works as well.

Hopefully the BOINC team will be able to get a new build out with the new certs as well before everything breaks.

Seems to be fixed with the workaround on
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006&postid=96882

LHC & Rosetta both seem to work. Other projects still work.

Can confirm that this works as well.

Hopefully the BOINC team will be able to get a new build out with the new certs as well before everything breaks.

Does Boinc autoupdate? Otherwise 90% of users won't know what's wrong.

---

According to Sectigo's knowledge base (https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT) there shouldn't be an issue if one of the following CA certs is available:
USERTrust RSA Certification Authority: https://crt.sh/?id=1199354
COMODO RSA Certification Authority: https://crt.sh/?id=1720081

Both certs have been issued 2010 and are already included in BOINC's ca-bundle.crt from 2018:
https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt

Since BOINC uses curl to send out HTTP requests and curl needs access to the cerificate list it should be checked if for some reason there are remains from older installations (BOINC/curl) that point to outdated certificate lists.

Does Boinc autoupdate? Otherwise 90% of users won't know what's wrong.

I don't think that BOINC updates automatically. Once a new version is published, everyone will have to install it manually. At least that's what I guess.

And yes, most of the users won't know what's wrong all of a sudden, unless they start digging into all the forum postings at LHC and/or Rosetta :-(

Does Boinc autoupdate? Otherwise 90% of users won't know what's wrong.

I don't think that BOINC updates automatically. Once a new version is published, everyone will have to install it manually. At least that's what I guess.

And yes, most of the users won't know what's wrong all of a sudden, unless they start digging into all the forum postings at LHC and/or Rosetta :-(

If there's no autoupdate, I think this warrants an email to everyone from the affected projects (presumably a vast number of people have consented to emails from them in preferences). People may not see a notice within Boinc. A lot of folk not knowing what's happened may assume the projects are down and go to different ones.

---

Alot of people are about to find out about this the hard way
turns out alot of people were using this cert provider.

https://twitter.com/sleevi_/status/1266647545675210753

I don't actually recall the internet being any unsafer before everyone started this SSL stuff.

---