Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 · Next

AuthorMessage
broz69

Send message
Joined: 28 Nov 08
Posts: 30
Credit: 14,608,491
RAC: 17,427
Message 42719 - Posted: 31 May 2020, 10:31:07 UTC - in response to Message 42675.  

Hi,

I don't have ca-bundle.crt on my Windows 10 computer in BOINC directory. So where do root certificates come from in this case?

What is wierd is that some ATLAS jobs uploaded the results to LHC but the job in BOINC still shows "Ready to report"...

So what else can I do?
ID: 42719 · Report as offensive     Reply Quote
computezrmle
Volunteer moderator
Volunteer developer
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 15 Jun 08
Posts: 2386
Credit: 222,932,134
RAC: 137,676
Message 42720 - Posted: 31 May 2020, 11:07:09 UTC - in response to Message 42719.  

I don't have ca-bundle.crt on my Windows 10 computer in BOINC directory. So where do root certificates come from in this case?

It's usually part of the BOINC package.
You may download the recent version from:
https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt


What is wierd is that some ATLAS jobs uploaded the results to LHC but the job in BOINC still shows "Ready to report"...

Nothing weird.
Result uploads go to lhcathome-upload.cern.ch via HTTP.
Result reporting goes to lhcathome.cern.ch via HTTPS.
The latter requires the server certificate to be confirmed by the CA certificate chain.
ID: 42720 · Report as offensive     Reply Quote
broz69

Send message
Joined: 28 Nov 08
Posts: 30
Credit: 14,608,491
RAC: 17,427
Message 42721 - Posted: 31 May 2020, 11:56:40 UTC - in response to Message 42720.  

OK.

I downloaded the file ca-bundle.crt from github, put it in BOINC direcotry, restarted BOINC client and still get the same error "31/05/2020 13:47:03 | LHC@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates"

31/05/2020 13:46:50 | | Starting BOINC client version 7.16.5 for windows_x86_64
31/05/2020 13:46:50 | | log flags: file_xfer, sched_ops, task
31/05/2020 13:46:50 | | Libraries: libcurl/7.47.1 OpenSSL/1.0.2s zlib/1.2.8

What else can I do?
ID: 42721 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 418
Credit: 5,667,249
RAC: 48
Message 42722 - Posted: 31 May 2020, 12:04:33 UTC - in response to Message 42719.  

Hi,

I don't have ca-bundle.crt on my Windows 10 computer in BOINC directory. So where do root certificates come from in this case?

What is wierd is that some ATLAS jobs uploaded the results to LHC but the job in BOINC still shows "Ready to report"...

So what else can I do?


You should have one or Boinc wouldn't work at all, are you looking in the right directory? It's in c:\Program files\Boinc, NOT c:\program data\Boinc, Boinc has two directories it uses.
ID: 42722 · Report as offensive     Reply Quote
broz69

Send message
Joined: 28 Nov 08
Posts: 30
Credit: 14,608,491
RAC: 17,427
Message 42723 - Posted: 31 May 2020, 15:50:30 UTC - in response to Message 42722.  

Thank you. I found it in a directory where boinc.exe is situated. I changed the one with the one from github, restarted the BOINC client and the same result:

31/05/2020 17:43:20 | LHC@home | Sending scheduler request: Requested by user.
31/05/2020 17:43:20 | LHC@home | Reporting 73 completed tasks
31/05/2020 17:43:20 | LHC@home | Requesting new tasks for CPU and AMD/ATI GPU
31/05/2020 17:43:21 | LHC@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31/05/2020 17:43:23 | | Project communication failed: attempting access to reference site
31/05/2020 17:43:25 | | Internet access OK - project servers may be temporarily down.
31/05/2020 17:44:42 | LHC@home | Fetching scheduler list
31/05/2020 17:44:44 | | Project communication failed: attempting access to reference site
31/05/2020 17:44:45 | | Internet access OK - project servers may be temporarily down.

I compared the two ca-bundle.crt files and the content is exactly the same (apart from date and time modified).
ID: 42723 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 418
Credit: 5,667,249
RAC: 48
Message 42724 - Posted: 31 May 2020, 19:34:13 UTC - in response to Message 42723.  
Last modified: 31 May 2020, 19:35:52 UTC

Thank you. I found it in a directory where boinc.exe is situated. I changed the one with the one from github, restarted the BOINC client and the same result:

31/05/2020 17:43:20 | LHC@home | Sending scheduler request: Requested by user.
31/05/2020 17:43:20 | LHC@home | Reporting 73 completed tasks
31/05/2020 17:43:20 | LHC@home | Requesting new tasks for CPU and AMD/ATI GPU
31/05/2020 17:43:21 | LHC@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31/05/2020 17:43:23 | | Project communication failed: attempting access to reference site
31/05/2020 17:43:25 | | Internet access OK - project servers may be temporarily down.
31/05/2020 17:44:42 | LHC@home | Fetching scheduler list
31/05/2020 17:44:44 | | Project communication failed: attempting access to reference site
31/05/2020 17:44:45 | | Internet access OK - project servers may be temporarily down.

I compared the two ca-bundle.crt files and the content is exactly the same (apart from date and time modified).


Try the one from Toby Broom, we know this works, many have used it. The github one is probably still out of date.
https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP
ID: 42724 · Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 27 Oct 07
Posts: 186
Credit: 3,297,640
RAC: 0
Message 42728 - Posted: 1 Jun 2020, 9:50:20 UTC

If any Windows user, 64-bit only, is still affected by this, there is a hotfix v7.16.7 of BOINC available from https://boinc.berkeley.edu/download.php
ID: 42728 · Report as offensive     Reply Quote
Profile zepingouin
Avatar

Send message
Joined: 7 Jan 07
Posts: 41
Credit: 15,959,427
RAC: 271
Message 42732 - Posted: 1 Jun 2020, 12:13:54 UTC

I confirm there is no problem with Ubuntu 18.04 but there is also the same certificate problem with Debian Stretch.
The following command in Debian indicates an expired certificate:
wget -v https://lhcathome.cern.ch/lhcathome

I copied /etc/ssl/certs/ca-certificates.crt (which is the file linked to ca-bundle.crt in /var/lib/boinc) from Ubuntu to Debian with no success.
ID: 42732 · Report as offensive     Reply Quote
computezrmle
Volunteer moderator
Volunteer developer
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 15 Jun 08
Posts: 2386
Credit: 222,932,134
RAC: 137,676
Message 42734 - Posted: 1 Jun 2020, 13:00:23 UTC - in response to Message 42732.  

It most likely depends on how your ssl helper apps (openssl ...) deal with expired CA certificates.
In short:
Older ssl clients can't deal with it, newer clients can.

More info can be found here (link copied from the github BOINC forum):
https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration


Since yesterday the BOINC source tree for version 7.16 includes a ca-bundle.crt where expired certificates have been removed but this file has not (yet?) been included in the master branch.

You can either wait until a recent 7.16 BOINC packet will be available or download the recent ca-bundle.crt from the 7.16 branch:
https://github.com/BOINC/boinc/blob/client_release/7/7.16/curl/ca-bundle.crt


This should primarily work for BOINC.
Other packets, e.g. wget, might be configured to lookup CA certificates elsewhere.
ID: 42734 · Report as offensive     Reply Quote
Profile Robert Pick

Send message
Joined: 1 Dec 05
Posts: 62
Credit: 11,398,274
RAC: 261
Message 42735 - Posted: 1 Jun 2020, 14:21:21 UTC - in response to Message 42662.  

A new version of Boinc is out. (7.16.7) I downloaded it this morning and all is well!. Old WU uploaded and new ones downloaded. Pick
ID: 42735 · Report as offensive     Reply Quote
Keith T.
Avatar

Send message
Joined: 1 Mar 07
Posts: 47
Credit: 32,356
RAC: 0
Message 42736 - Posted: 1 Jun 2020, 14:50:31 UTC - in response to Message 42735.  

A new version of Boinc is out. (7.16.7) I downloaded it this morning and all is well!. Old WU uploaded and new ones downloaded. Pick


This is ok for 64bit Windows, but Android clients still have the problem.
ID: 42736 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 418
Credit: 5,667,249
RAC: 48
Message 42737 - Posted: 1 Jun 2020, 14:58:15 UTC - in response to Message 42736.  

A new version of Boinc is out. (7.16.7) I downloaded it this morning and all is well!. Old WU uploaded and new ones downloaded. Pick


This is ok for 64bit Windows, but Android clients still have the problem.


There's a new Android Beta client out (not on Google Play, but it's on the Boinc website). It doesn't fix LHC. Rosetta works, but they sorted that from their end I think, as people who have not changed anything are getting tasks ok. My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called.
ID: 42737 · Report as offensive     Reply Quote
CloverField

Send message
Joined: 17 Oct 06
Posts: 74
Credit: 51,502,460
RAC: 22,437
Message 42738 - Posted: 1 Jun 2020, 15:50:22 UTC

Should a news post be made for the solution to this issue so everyone gets a notice in there BOINC client?
ID: 42738 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 418
Credit: 5,667,249
RAC: 48
Message 42739 - Posted: 1 Jun 2020, 15:54:27 UTC - in response to Message 42738.  

Should a news post be made for the solution to this issue so everyone gets a notice in there BOINC client?


Yes, and I think an email would be even better as not everyone checks the notices within Boinc. I'm sure loads of people will disagree with me, but I think this warrants ignoring whether people have ticked the "it's ok to email me" setting. Clearly anyone running Boinc wants it to work, so they have to be informed the upgrade is necessary. I assume all they'd have to do is click something in a Boinc Manager menu?
ID: 42739 · Report as offensive     Reply Quote
Profile zepingouin
Avatar

Send message
Joined: 7 Jan 07
Posts: 41
Credit: 15,959,427
RAC: 271
Message 42740 - Posted: 1 Jun 2020, 16:08:03 UTC - in response to Message 42734.  

You can either wait until a recent 7.16 BOINC packet will be available or download the recent ca-bundle.crt from the 7.16 branch:
https://github.com/BOINC/boinc/blob/client_release/7/7.16/curl/ca-bundle.crt

Now it works for wget but not for BOINC.
I guess an upgrade for BOINC is also necessary.
ID: 42740 · Report as offensive     Reply Quote
Keith T.
Avatar

Send message
Joined: 1 Mar 07
Posts: 47
Credit: 32,356
RAC: 0
Message 42741 - Posted: 1 Jun 2020, 16:49:04 UTC - in response to Message 42737.  

My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called.

There are actually 4 expired AddTrust certificates, with names that include: Class 1, Public, Qualified, and External.
All 4 expired on 30 May 2020.


https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 appears to be the authoritative reference from the issuer.

I have tried disabling them all, without success on 7.16.5 for Android.
ID: 42741 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 418
Credit: 5,667,249
RAC: 48
Message 42742 - Posted: 1 Jun 2020, 16:56:52 UTC - in response to Message 42741.  

My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called.

There are actually 4 expired AddTrust certificates, with names that include: Class 1, Public, Qualified, and External.
All 4 expired on 30 May 2020.


https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 appears to be the authoritative reference from the issuer.

I have tried disabling them all, without success on 7.16.5 for Android.


That doesn't make sense. Either it's not disabling what you tell it to, or something else has expired. Or perhaps Rosetta had the option of using a different one in the list and LHC does not, so what you've done is given it no certificates to try?
ID: 42742 · Report as offensive     Reply Quote
Keith T.
Avatar

Send message
Joined: 1 Mar 07
Posts: 47
Credit: 32,356
RAC: 0
Message 42743 - Posted: 1 Jun 2020, 17:05:00 UTC - in response to Message 42742.  
Last modified: 1 Jun 2020, 17:08:10 UTC

My phone lets me in settings disable individual certificates, so I would have thought we could just turn off the offending one, if anyone knows what it's called.

There are actually 4 expired AddTrust certificates, with names that include: Class 1, Public, Qualified, and External.
All 4 expired on 30 May 2020.


https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 appears to be the authoritative reference from the issuer.

I have tried disabling them all, without success on 7.16.5 for Android.


That doesn't make sense. Either it's not disabling what you tell it to, or something else has expired. Or perhaps Rosetta had the option of using a different one in the list and LHC does not, so what you've done is given it no certificates to try?


I currently have 3 LHC tasks in progress, 2 are Ready to Report, about 60 hours of work. Deadline is 3 June according to the client, but 4 June on the website !

In Android 7.0 settings, Security, I have disabled the expired certificates, but I can't see any option to delete or remove.
ID: 42743 · Report as offensive     Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 418
Credit: 5,667,249
RAC: 48
Message 42744 - Posted: 1 Jun 2020, 17:17:55 UTC - in response to Message 42743.  
Last modified: 1 Jun 2020, 17:23:01 UTC

I currently have 3 LHC tasks in progress, 2 are Ready to Report, about 60 hours of work.


Since everyone is in the same boat, I would hope that those tasks will be both useful to them when you're able to connect, and you'll get credit for them. Keep them until you can get it working, even if they go past the sellby date.

Deadline is 3 June according to the client, but 4 June on the website !


There's a long standing "bug" with LHC, it's always a day out, nobody knows why, possibly some kind of leeway in case it's a bit late? I just downloaded 1 Theory task to test it (on a Windows 10 machine) and it has 10 days to go according to my computer, yet the LHC server says 11 days.

In Android 7.0 settings, Security, I have disabled the expired certificates, but I can't see any option to delete or remove.


Maybe there are no unexpired ones on Android that LHC can use? Removing just one of them in a Windows PC made Rosetta and LHC work immediately.

Or maybe since you only disabled it, that's made it not bother looking for others. In Windows I actually deleted it (manually in the text file), so it was forced to look for something else. I too have seen no option to delete a certificate on my Android 7.0.
ID: 42744 · Report as offensive     Reply Quote
Keith T.
Avatar

Send message
Joined: 1 Mar 07
Posts: 47
Credit: 32,356
RAC: 0
Message 42749 - Posted: 1 Jun 2020, 17:45:51 UTC - in response to Message 42744.  

I haven't given up on them, although I have suspended the 3rd one until this is resolved by either BOINC, or LHC, or even by an Android update

I even tried, Remove all certificates, but that only removes User certificates, not System ones.
ID: 42749 · Report as offensive     Reply Quote
Previous · 1 · 2 · 3 · 4 · 5 · Next

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates


©2024 CERN