Warning: Verisign/Symantec Class 3 Public Primary CA root certificate being dropped from ca-bundle.crt

Message boards : Questions and problems : Warning: Verisign/Symantec Class 3 Public Primary CA root certificate being dropped from ca-bundle.crt
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15477
Netherlands
Message 66113 - Posted: 14 Dec 2015, 21:07:53 UTC
Last modified: 14 Dec 2015, 21:09:48 UTC

Due to Google moving to distrust the “Class 3 Public Primary CA” root certificate operated by Symantec Corporation, we're removing the Symantec/Verisign Class 3 Public Primary CA root certificate from ca-bundle.crt, bundled with BOINC clients.

Things you can expect that will happen due to this removal:

- In the worst case ‘one additional certificate authority’ is trusted by the BOINC client that browsers do not trust. Volunteers would be more annoyed with their browser not working against a project server than with the BOINC client that is working.

- By removing the cert, we potentially can cause a problem where new clients stop working while the browser continues to work for a few weeks (until the various vendors remove the root CA certificate from their root stores).

- The more common scenario will be that new clients stop working against a project.

Making a backup copy of your old ca-bundle.crt (in the BOINC Program directory) and putting it back in place for the new certificate file may overcome this, until the project catches up.
ID: 66113 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15477
Netherlands
Message 66115 - Posted: 14 Dec 2015, 23:24:20 UTC

Rom Walton wrote:
I’ve removed the old root CA from the bundle.

WCG and E@H are using certs from Thawte while R@H is using a cert from Comodo.
CERN is using self-signed certs for their HTTPS traffic.

I don’t expect that this is going to be an issue within the BOINC world.

----- Rom
ID: 66115 · Report as offensive
eagle275

Send message
Joined: 15 Feb 16
Posts: 7
Germany
Message 67753 - Posted: 15 Feb 2016, 3:59:39 UTC - in response to Message 66115.  

Well .. turns out IT IS A (small) PROBLEM...

I've been running boinc for some years - and on windows it's running fine - but as of recently I started running it on my raspberry pi ... And this little bugger now reports the nice ca certificate error for E@H and WCG ... the error started after I reinstalled the raspbian image and therefore had to install boinc anew.

I did a quick google search which lead me to an old error-report back in 2009 with the same errors - only that the offered ca-bundle.crt file obviously contains the now disabled certs - and can't be downloaded anymore ...

Any hints what I can do? Or will it really fix over time ? Though its kinda annoying seeing that error message for more than 2 weeks ...
ID: 67753 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15477
Netherlands
Message 67761 - Posted: 15 Feb 2016, 10:17:59 UTC - in response to Message 67753.  

I have forwarded this to the developers.
But a question though, does Einstein use a HTTPS connection as well for their server communications? (I know all projects should start doing that soon, but don't know which are already doing it).
ID: 67761 · Report as offensive
eagle275

Send message
Joined: 15 Feb 16
Posts: 7
Germany
Message 67763 - Posted: 15 Feb 2016, 11:46:59 UTC - in response to Message 67761.  

Thanks for your reply.
As for your question, I am not 100% sure - but out of my 14 projects only WCG and E@H complain about the ca certificate - so I assume both use https, while the others either don't - or are satisfied with the installed certificates, while those 2 aren't. I checked the file ca-bundle.crt and it contains dozens of certificates.

I must admit, that I am not that pro with the raspi yet - but I installed the latest boinc directly from the raspbian repositories and I know that both projects used to be able to communicate before I recently had to rewrite the image and install boinc anew.
ID: 67763 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15477
Netherlands
Message 67764 - Posted: 15 Feb 2016, 12:06:48 UTC - in response to Message 67763.  

Unless the BOINC installed from the raspbian repositories is 7.6.22 or higher, it should contain the older ca-bundle.crt file with the certs still in it. If your ca-bundle.crt still has Verisign Class 3 Public Primary Certification Authority included, it's an older one.
ID: 67764 · Report as offensive
SekeRob2

Send message
Joined: 6 Jul 10
Posts: 585
Italy
Message 67765 - Posted: 15 Feb 2016, 12:32:40 UTC - in response to Message 67763.  

Thanks for your reply.
As for your question, I am not 100% sure - but out of my 14 projects only WCG and E@H complain about the ca certificate - so I assume both use https, while the others either don't - or are satisfied with the installed certificates, while those 2 aren't. I checked the file ca-bundle.crt and it contains dozens of certificates.

I must admit, that I am not that pro with the raspi yet - but I installed the latest boinc directly from the raspbian repositories and I know that both projects used to be able to communicate before I recently had to rewrite the image and install boinc anew.

Don't assume, check their forum, and then you'd have learned that HTTPS is/was enforced, now lifted to level TLS 1.2 https://secure.worldcommunitygrid.org/about_us/viewNewsArticle.do?articleId=462 . SHA2 /SHA256 was already applied which essentially made older installs breaking, lest certain SSL files were back-ported manually, or installs upgraded to 7.2.47 or up.
Coelum Non Animum Mutant, Qui Trans Mare Currunt
ID: 67765 · Report as offensive
eagle275

Send message
Joined: 15 Feb 16
Posts: 7
Germany
Message 67766 - Posted: 15 Feb 2016, 13:04:33 UTC - in response to Message 67764.  

Well, my boinc manager reports a client version of 7.4.23.

I enabled some more debug messages and now its clear - E@H wants to connect via https.

I'll dig around some more and report back if I can solve the issue. Part of the issue seems to be the access rights to ca-bundle.crt and the path boinc expects that file...
ID: 67766 · Report as offensive
SekeRob2

Send message
Joined: 6 Jul 10
Posts: 585
Italy
Message 67767 - Posted: 15 Feb 2016, 13:27:59 UTC - in response to Message 67766.  

If I recollect correctly, there's an issue at Debian... a bug report was filed by Einstein [Christian Beer] in relation to the certificates problem. Don't know how that would impact Raspian, but suppose there's proliferation of some kind.
Coelum Non Animum Mutant, Qui Trans Mare Currunt
ID: 67767 · Report as offensive
eagle275

Send message
Joined: 15 Feb 16
Posts: 7
Germany
Message 67769 - Posted: 15 Feb 2016, 14:10:50 UTC - in response to Message 67767.  

Thanks for your hints, SakeRob2

Yes I've read about Debian related trouble - part of the problem is that the /etc/ssl/certs directory belongs to root and all files in it as well - and ca-bundle.crt is a symlink to /etc/ssl/certs/ca-certificates.crt - and therefore likewise belongs to root while boinc runs under boinc:boinc

Though my first try with replacing the symlink with the "raw" file and make it accessible to boinc:boinc didn't work - boinc expects the file under CApath which directs to /etc/ssl/certs

I'll tinker around some more and report back
ID: 67769 · Report as offensive
Juha
Volunteer developer
Volunteer tester
Help desk expert

Send message
Joined: 20 Nov 12
Posts: 801
Finland
Message 67777 - Posted: 15 Feb 2016, 22:20:02 UTC - in response to Message 67753.  

This is a problem with Debian Jessie and Rasbian Jessie. See the threads at Einstein for more information and work-around.

Attention when updating Debian stable (Jessie)
Can't contact EAH Servers - Peer Certificate Cannot be Authenticated...
ID: 67777 · Report as offensive
eagle275

Send message
Joined: 15 Feb 16
Posts: 7
Germany
Message 67845 - Posted: 17 Feb 2016, 12:53:09 UTC - in response to Message 67777.  

Thanks Juha - that really helped, but leaves some questons unanswered.
I hope it will get better once we get raspbian from debian stretch on the pi
ID: 67845 · Report as offensive

Message boards : Questions and problems : Warning: Verisign/Symantec Class 3 Public Primary CA root certificate being dropped from ca-bundle.crt

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.