HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)

Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · 4 . . . 5 · Next

AuthorMessage
Dr Who Fan
Avatar

Send message
Joined: 10 May 07
Posts: 749
United States
Message 105521 - Posted: 30 Sep 2021, 16:24:22 UTC
Last modified: 30 Sep 2021, 16:44:20 UTC

Not sure if this is a BOINC CA CERTIFICATE ERROR or that it's a PROJECT CA CERTIFICATE ERROR.

Get the following error message across all 6 of my PC's (Windows 8.1, Windows 7, Windows VISTA and Window WINE under Ubuntu) this morning (US time) on TWO projects iThena and WuProp
HTTP error: Peer certificate cannot be authenticated with given CA certificates
Running latest stable BOINC 7.16.11 Windows x64

Happened shortly after 9:00 AM local time (US CENTRAL TIME), Add +5 hours to get UTC TIME OF 14:00

Not sure if it affects any other projects. As far as I can see the SSL Security certificates for the two projects are NOT expired and are current.

Snippet from BOINC STDERR log from my Windows 8.1 PC when trying to send completed work to iThena. Similar error messages when contacting WuProp.
30-Sep-2021 09:02:24 [iThena] Sending scheduler request: To fetch work.
30-Sep-2021 09:02:24 [iThena] Requesting new tasks for CPU
30-Sep-2021 09:02:24 [iThena] [http] HTTP_OP::init_post(): https://root.ithena.net/ithena_cgi/cgi
30-Sep-2021 09:02:24 [iThena] [http] HTTP_OP::libcurl_exec(): ca-bundle set
30-Sep-2021 09:02:24 [iThena] [http] [ID#1] Info: Connection 5660 seems to be dead!
30-Sep-2021 09:02:24 [iThena] [http] [ID#1] Info: Closing connection 5660
30-Sep-2021 09:02:24 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS alert, Client hello (1):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Trying 85.204.27.80...
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Connected to root.ithena.net (85.204.27.80) port 443 (#5663)
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: ALPN, offering http/1.1
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: successfully set certificate verify locations:
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: CAfile: C:\BOINC\ca-bundle.crt
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: CApath: none
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS alert, Server hello (2):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: SSL certificate problem: certificate has expired
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Closing connection 5663
30-Sep-2021 09:02:25 [iThena] [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
30-Sep-2021 09:02:26 [iThena] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates


16:42 UTC EDIT TO ADD>>
BOINC communicates with / Send / Receive tasks from my other two active projects on the pc's Minecraft and PRIVATE GFN with no certificate error messages
ID: 105521 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105522 - Posted: 30 Sep 2021, 16:45:15 UTC - in response to Message 105521.  

I'd suspect it's a BOINC problem. Windows versions of BOINC rely on a 'ca-bundle.crt' file stored in your BOINC program folder, and only updated when a new version is installed. The most recent update to the sources held by BOINC was on May 31, 2020, which should have been included on v7.16.11 (released 2020-09-02) - I'll check.
ID: 105522 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105525 - Posted: 30 Sep 2021, 17:18:09 UTC

OK, I got this when attempting to attach to iThena. I expected the attach to fail, because they're not accepting new members: but that would be for the server to say, not SSL.

30/09/2021 18:05:06 |  | Fetching configuration file from https://root.ithena.net/usr/get_project_config.php
30/09/2021 18:05:06 |  | [http] HTTP_OP::init_get(): https://root.ithena.net/usr/get_project_config.php
30/09/2021 18:05:06 |  | [http] HTTP_OP::libcurl_exec(): ca-bundle 'D:\BOINC\ca-bundle.crt'
30/09/2021 18:05:06 |  | [http] HTTP_OP::libcurl_exec(): ca-bundle set
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Connection 2831 seems to be dead!
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Closing connection 2831
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Connection 2832 seems to be dead!
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Closing connection 2832
30/09/2021 18:05:06 |  | [http] [ID#2] Info:    Trying 85.204.27.80...
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  Connected to root.ithena.net (85.204.27.80) port 443 (#2833)
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  ALPN, offering http/1.1
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  successfully set certificate verify locations:
30/09/2021 18:05:07 |  | [http] [ID#2] Info:    CAfile: D:\BOINC\ca-bundle.crt
30/09/2021 18:05:07 |  | [http] [ID#2] Info:    CApath: none
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (OUT), TLS header, Certificate Status (22):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (OUT), TLS handshake, Client hello (1):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (IN), TLS handshake, Server hello (2):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (IN), TLS handshake, Certificate (11):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (OUT), TLS alert, Server hello (2):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  SSL certificate problem: certificate has expired
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  Closing connection 2833
30/09/2021 18:05:07 |  | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
Note "CAfile: D:\BOINC\ca-bundle.crt" (yours is in C:). My BOINC client is also v7.16.11, and the ca-bundle.crt file is dated 31 May 2020.

Checking that ca-bundle.crt is still serviceable is on the Release Manager's checklist for new versions (I put it there), and there's supposed to be a new version to coincide with the release of Windows 11 on October 5. I'd suggest you wait for that release, see whether that cures the problem, and be ready to raise merry hell if it doesn't.
ID: 105525 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105526 - Posted: 30 Sep 2021, 17:19:55 UTC - in response to Message 105522.  
Last modified: 30 Sep 2021, 17:22:08 UTC

Yes. Let's encrypt has updated their certificated.

The Root is the ISRG Root X1
Valid from 6/4/2015 to 6/4/2035

The intermediate is R3:
‎Thursday, ‎September ‎3, ‎2020 7:00:00 PM
‎Monday, ‎September ‎15, ‎2025 11:00:00 AM

30 82 01 0a 02 82 01 01 00 bb 02 15 28 cc f6 a0 94 d3 0f 12 ec 8d 55 92 c3 f8 82 f1 99 a6 7a 42 88 a7 5d 26 aa b5 2b b9 c5 4c b1 af 8e 6b f9 75 c8 a3 d7 0f 47 94 14 55 35 57 8c 9e a8 a2 39 19 f5 82 3c 42 a9 4e 6e f5 3b c3 2e db 8d c0 b0 5c f3 59 38 e7 ed cf 69 f0 5a 0b 1b be c0 94 24 25 87 fa 37 71 b3 13 e7 1c ac e1 9b ef db e4 3b 45 52 45 96 a9 c1 53 ce 34 c8 52 ee b5 ae ed 8f de 60 70 e2 a5 54 ab b6 6d 0e 97 a5 40 34 6b 2b d3 bc 66 eb 66 34 7c fa 6b 8b 8f 57 29 99 f8 30 17 5d ba 72 6f fb 81 c5 ad d2 86 58 3d 17 c7 e7 09 bb f1 2b f7 86 dc c1 da 71 5d d4 46 e3 cc ad 25 c1 88 bc 60 67 75 66 b3 f1 18 f7 a2 5c e6 53 ff 3a 88 b6 47 a5 ff 13 18 ea 98 09 77 3f 9d 53 f9 cf 01 e5 f5 a6 70 17 14 af 63 a4 ff 99 b3 93 9d dc 53 a7 06 fe 48 85 1d a1 69 ae 25 75 bb 13 cc 52 03 f5 ed 51 a1 8b db 15 02 03 01 00 01


So is there a way to download the new ca-bundle.crt in the interim? October 5th is a longways to go without uploading or downloading WU's. If BOINC is going to force the validity of certificates, then the updated file needs to be made available.
ID: 105526 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105528 - Posted: 30 Sep 2021, 17:30:22 UTC - in response to Message 105526.  
Last modified: 30 Sep 2021, 17:37:07 UTC

I'll ask. Just had a report, and confirmed, that GPUGrid is affected as well. I seem to remember a previous panic on the last day of some earlier month, as well.

Yes, there was an emergency release of v7.16.7 on 31 May 2020, and the final code change was 'Update CA bundle'.
ID: 105528 · Report as offensive     Reply Quote
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14767
Netherlands
Message 105531 - Posted: 30 Sep 2021, 17:38:59 UTC - in response to Message 105528.  
Last modified: 30 Sep 2021, 17:45:15 UTC

I'll ask. Just had a report, and confirmed, that GPUGrid is affected as well.
As is CPDN, so I'd expect an earlier update.

Checking https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/ it's the IdentTrust DST Root CA X3 that expired today.
ID: 105531 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105533 - Posted: 30 Sep 2021, 17:43:13 UTC - in response to Message 105528.  

But sites that use Let's Encrypt are the ones having an issue since they updated their chain *after* that emergency release in May of 2020. October 5th is a longways away. That will be a lot of lost work and lost computational time. If you are going to use a certificate bundle that is client based, then updates to it need to be made available before issues start. I believe it is unique to Windows that the client has a local certificate file. Either that needs to be updated when the client checks for updates or an option to launch the client be made available to bypass certificate validation.
ID: 105533 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105534 - Posted: 30 Sep 2021, 17:43:41 UTC
Last modified: 30 Sep 2021, 17:45:12 UTC

Add CPDN to the list.

(sorry, Jord - I was busy replying to the CPDN moderators when you posted)
ID: 105534 · Report as offensive     Reply Quote
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14767
Netherlands
Message 105535 - Posted: 30 Sep 2021, 17:46:48 UTC - in response to Message 105534.  
Last modified: 30 Sep 2021, 17:53:08 UTC

It's all right, I posted to them as well and will put it on Github.

Edit: and done that, let's wait what the devs say.
ID: 105535 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105536 - Posted: 30 Sep 2021, 17:53:31 UTC - in response to Message 105535.  

Writing to the mailing lists as we speak.
ID: 105536 · Report as offensive     Reply Quote
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 105537 - Posted: 30 Sep 2021, 18:06:23 UTC

What OpenSSL version does BOINC for Windows show at the beginning of the log?
ID: 105537 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105538 - Posted: 30 Sep 2021, 18:08:29 UTC

While we wait, it's an easy job to update Windows clients with a new ca-bundle.crt file, when available: you don't even need to stop BOINC (though it might be a good idea to suspend networking while you do it).

To be safe:
Navigate to the BOINC program folder
Rename the old file
Drop in the new one.

And that's it. If it goes wrong, you can return to the old file for the projects that are still accepting it, while the dust settles.

BOINC on Linux and other operating systems uses system security, which is automatically updated when needed. There should be no need to update BOINC separately on those systems.
ID: 105538 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105539 - Posted: 30 Sep 2021, 18:10:01 UTC - in response to Message 105537.  

What OpenSSL version does BOINC for Windows show at the beginning of the log?
OpenSSL/1.0.2s
ID: 105539 · Report as offensive     Reply Quote
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 105540 - Posted: 30 Sep 2021, 18:18:44 UTC - in response to Message 105539.  

What OpenSSL version does BOINC for Windows show at the beginning of the log?
OpenSSL/1.0.2s

Okay, so that is the problem. BOINC's ca-bundle.crt has had the new LetsEncrypt X1 certificate since January 2018, so that doesn't need to be updated. But OpenSSL 1.0 sees the X3 certificate expired and gives up, instead of noticing the project's certificate is also signed with X1 which is still valid. The fix is updating to OpenSSL 1.1.

I already mentioned this in 2020 when the AddTrust certificate expired and we had the same problem...
ID: 105540 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105541 - Posted: 30 Sep 2021, 18:22:57 UTC - in response to Message 105540.  

That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue.
ID: 105541 · Report as offensive     Reply Quote
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 105542 - Posted: 30 Sep 2021, 18:24:07 UTC - in response to Message 105541.  

That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue.

What do you mean by "adding the certificates"? Are you modifying ca-bundle.crt?
ID: 105542 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105543 - Posted: 30 Sep 2021, 18:28:18 UTC - in response to Message 105542.  

That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue.

What do you mean by "adding the certificates"? Are you modifying ca-bundle.crt?


Yes.
ID: 105543 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4635
United Kingdom
Message 105544 - Posted: 30 Sep 2021, 18:34:12 UTC - in response to Message 105543.  
Last modified: 30 Sep 2021, 18:34:38 UTC

I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent).
ID: 105544 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105545 - Posted: 30 Sep 2021, 18:45:33 UTC - in response to Message 105544.  

I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent).


Removing it does indeed remediate the issue.
ID: 105545 · Report as offensive     Reply Quote
Dr Who Fan
Avatar

Send message
Joined: 10 May 07
Posts: 749
United States
Message 105546 - Posted: 30 Sep 2021, 18:52:22 UTC - in response to Message 105545.  

I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent).


Removing it does indeed remediate the issue.

Can someone post a download link to a modified working certificate or what section(s) of the current certificate to edit out.
ID: 105546 · Report as offensive     Reply Quote
1 · 2 · 3 · 4 . . . 5 · Next

Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)

Copyright © 2021 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.