Message boards :
Number crunching :
Peer certificate cannot be authenticated with given CA certificates
Message board moderation
Previous · 1 · 2 · 3 · 4 · 5 · Next
Author | Message |
---|---|
Send message Joined: 28 Nov 08 Posts: 30 Credit: 14,608,491 RAC: 17,427 |
Hi, I don't have ca-bundle.crt on my Windows 10 computer in BOINC directory. So where do root certificates come from in this case? What is wierd is that some ATLAS jobs uploaded the results to LHC but the job in BOINC still shows "Ready to report"... So what else can I do? |
Send message Joined: 15 Jun 08 Posts: 2386 Credit: 222,932,134 RAC: 137,676 |
I don't have ca-bundle.crt on my Windows 10 computer in BOINC directory. So where do root certificates come from in this case? It's usually part of the BOINC package. You may download the recent version from: https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt What is wierd is that some ATLAS jobs uploaded the results to LHC but the job in BOINC still shows "Ready to report"... Nothing weird. Result uploads go to lhcathome-upload.cern.ch via HTTP. Result reporting goes to lhcathome.cern.ch via HTTPS. The latter requires the server certificate to be confirmed by the CA certificate chain. |
Send message Joined: 28 Nov 08 Posts: 30 Credit: 14,608,491 RAC: 17,427 |
OK. I downloaded the file ca-bundle.crt from github, put it in BOINC direcotry, restarted BOINC client and still get the same error "31/05/2020 13:47:03 | LHC@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates" 31/05/2020 13:46:50 | | Starting BOINC client version 7.16.5 for windows_x86_64 31/05/2020 13:46:50 | | log flags: file_xfer, sched_ops, task 31/05/2020 13:46:50 | | Libraries: libcurl/7.47.1 OpenSSL/1.0.2s zlib/1.2.8 What else can I do? |
Send message Joined: 12 Aug 06 Posts: 418 Credit: 5,667,249 RAC: 48 |
Hi, You should have one or Boinc wouldn't work at all, are you looking in the right directory? It's in c:\Program files\Boinc, NOT c:\program data\Boinc, Boinc has two directories it uses. |
Send message Joined: 28 Nov 08 Posts: 30 Credit: 14,608,491 RAC: 17,427 |
Thank you. I found it in a directory where boinc.exe is situated. I changed the one with the one from github, restarted the BOINC client and the same result: 31/05/2020 17:43:20 | LHC@home | Sending scheduler request: Requested by user. 31/05/2020 17:43:20 | LHC@home | Reporting 73 completed tasks 31/05/2020 17:43:20 | LHC@home | Requesting new tasks for CPU and AMD/ATI GPU 31/05/2020 17:43:21 | LHC@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates 31/05/2020 17:43:23 | | Project communication failed: attempting access to reference site 31/05/2020 17:43:25 | | Internet access OK - project servers may be temporarily down. 31/05/2020 17:44:42 | LHC@home | Fetching scheduler list 31/05/2020 17:44:44 | | Project communication failed: attempting access to reference site 31/05/2020 17:44:45 | | Internet access OK - project servers may be temporarily down. I compared the two ca-bundle.crt files and the content is exactly the same (apart from date and time modified). |
Send message Joined: 12 Aug 06 Posts: 418 Credit: 5,667,249 RAC: 48 |
Thank you. I found it in a directory where boinc.exe is situated. I changed the one with the one from github, restarted the BOINC client and the same result: Try the one from Toby Broom, we know this works, many have used it. The github one is probably still out of date. https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP |
Send message Joined: 27 Oct 07 Posts: 186 Credit: 3,297,640 RAC: 0 |
If any Windows user, 64-bit only, is still affected by this, there is a hotfix v7.16.7 of BOINC available from https://boinc.berkeley.edu/download.php |
Send message Joined: 7 Jan 07 Posts: 41 Credit: 15,959,427 RAC: 271 |
I confirm there is no problem with Ubuntu 18.04 but there is also the same certificate problem with Debian Stretch. The following command in Debian indicates an expired certificate: wget -v https://lhcathome.cern.ch/lhcathome I copied /etc/ssl/certs/ca-certificates.crt (which is the file linked to ca-bundle.crt in /var/lib/boinc) from Ubuntu to Debian with no success. |
Send message Joined: 15 Jun 08 Posts: 2386 Credit: 222,932,134 RAC: 137,676 |
It most likely depends on how your ssl helper apps (openssl ...) deal with expired CA certificates. In short: Older ssl clients can't deal with it, newer clients can. More info can be found here (link copied from the github BOINC forum): https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration Since yesterday the BOINC source tree for version 7.16 includes a ca-bundle.crt where expired certificates have been removed but this file has not (yet?) been included in the master branch. You can either wait until a recent 7.16 BOINC packet will be available or download the recent ca-bundle.crt from the 7.16 branch: https://github.com/BOINC/boinc/blob/client_release/7/7.16/curl/ca-bundle.crt This should primarily work for BOINC. Other packets, e.g. wget, might be configured to lookup CA certificates elsewhere. |
Send message Joined: 1 Dec 05 Posts: 62 Credit: 11,398,274 RAC: 261 |
A new version of Boinc is out. (7.16.7) I downloaded it this morning and all is well!. Old WU uploaded and new ones downloaded. Pick |
Send message Joined: 1 Mar 07 Posts: 47 Credit: 32,356 RAC: 0 |
A new version of Boinc is out. (7.16.7) I downloaded it this morning and all is well!. Old WU uploaded and new ones downloaded. Pick This is ok for 64bit Windows, but Android clients still have the problem. |
Send message Joined: 12 Aug 06 Posts: 418 Credit: 5,667,249 RAC: 48 |
A new version of Boinc is out. (7.16.7) I downloaded it this morning and all is well!. Old WU uploaded and new ones downloaded. Pick There's a new Android Beta client out (not on Google Play, but it's on the Boinc website). It doesn't fix LHC. Rosetta works, but they sorted that from their end I think, as people who have not changed anything are getting tasks ok. My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called. |
Send message Joined: 17 Oct 06 Posts: 74 Credit: 51,502,460 RAC: 22,437 |
Should a news post be made for the solution to this issue so everyone gets a notice in there BOINC client? |
Send message Joined: 12 Aug 06 Posts: 418 Credit: 5,667,249 RAC: 48 |
Should a news post be made for the solution to this issue so everyone gets a notice in there BOINC client? Yes, and I think an email would be even better as not everyone checks the notices within Boinc. I'm sure loads of people will disagree with me, but I think this warrants ignoring whether people have ticked the "it's ok to email me" setting. Clearly anyone running Boinc wants it to work, so they have to be informed the upgrade is necessary. I assume all they'd have to do is click something in a Boinc Manager menu? |
Send message Joined: 7 Jan 07 Posts: 41 Credit: 15,959,427 RAC: 271 |
You can either wait until a recent 7.16 BOINC packet will be available or download the recent ca-bundle.crt from the 7.16 branch: Now it works for wget but not for BOINC. I guess an upgrade for BOINC is also necessary. |
Send message Joined: 1 Mar 07 Posts: 47 Credit: 32,356 RAC: 0 |
My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called. There are actually 4 expired AddTrust certificates, with names that include: Class 1, Public, Qualified, and External. All 4 expired on 30 May 2020. https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 appears to be the authoritative reference from the issuer. I have tried disabling them all, without success on 7.16.5 for Android. |
Send message Joined: 12 Aug 06 Posts: 418 Credit: 5,667,249 RAC: 48 |
My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called. That doesn't make sense. Either it's not disabling what you tell it to, or something else has expired. Or perhaps Rosetta had the option of using a different one in the list and LHC does not, so what you've done is given it no certificates to try? |
Send message Joined: 1 Mar 07 Posts: 47 Credit: 32,356 RAC: 0 |
My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called. I currently have 3 LHC tasks in progress, 2 are Ready to Report, about 60 hours of work. Deadline is 3 June according to the client, but 4 June on the website ! In Android 7.0 settings, Security, I have disabled the expired certificates, but I can't see any option to delete or remove. |
Send message Joined: 12 Aug 06 Posts: 418 Credit: 5,667,249 RAC: 48 |
I currently have 3 LHC tasks in progress, 2 are Ready to Report, about 60 hours of work. Since everyone is in the same boat, I would hope that those tasks will be both useful to them when you're able to connect, and you'll get credit for them. Keep them until you can get it working, even if they go past the sellby date. Deadline is 3 June according to the client, but 4 June on the website ! There's a long standing "bug" with LHC, it's always a day out, nobody knows why, possibly some kind of leeway in case it's a bit late? I just downloaded 1 Theory task to test it (on a Windows 10 machine) and it has 10 days to go according to my computer, yet the LHC server says 11 days. In Android 7.0 settings, Security, I have disabled the expired certificates, but I can't see any option to delete or remove. Maybe there are no unexpired ones on Android that LHC can use? Removing just one of them in a Windows PC made Rosetta and LHC work immediately. Or maybe since you only disabled it, that's made it not bother looking for others. In Windows I actually deleted it (manually in the text file), so it was forced to look for something else. I too have seen no option to delete a certificate on my Android 7.0. |
Send message Joined: 1 Mar 07 Posts: 47 Credit: 32,356 RAC: 0 |
I haven't given up on them, although I have suspended the 3rd one until this is resolved by either BOINC, or LHC, or even by an Android update I even tried, Remove all certificates, but that only removes User certificates, not System ones. |
©2024 CERN