Peer certificate cannot be authenticated with given CA certificates

Message boards : Questions and problems : Peer certificate cannot be authenticated with given CA certificates
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · 4 . . . 7 · Next

AuthorMessage
Dr Who Fan
Avatar

Send message
Joined: 10 May 07
Posts: 574
United States
Message 99248 - Posted: 11 Jun 2020, 2:23:33 UTC

Indirectly related to the BOINC Security Certificate issue:

An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher.

When will the next widely used root certificate expire? "Possibly March next year," he says. "Within the next 12 months we're going to have lot of things breaking, or hopefully a response from the industry to start fixing stuff."

One potentially significant date is 30 September 2021, when the DST Root CA X3 certificate used by many Let's Encrypt certificates expires. Again, it is no use simply updating the certificate on the server; the client must have an updated root certificate for this to be effective.
ID: 99248 · Report as offensive
MarkJ
Volunteer tester
Help desk expert

Send message
Joined: 5 Mar 08
Posts: 263
Australia
Message 99187 - Posted: 9 Jun 2020, 8:01:12 UTC
Last modified: 9 Jun 2020, 8:02:15 UTC

Yesterday (Mon 8th of June) Debian issued an updated ca-certificates. They added 13 and deleted 15, although it doesn't say which ones. I wouldn't be surprised if this has caught a number of organizations out, not just BOINC. I can still communicate with all my projects so they don't seem to have broken anything as far as I can tell.
MarkJ
ID: 99187 · Report as offensive
Peter Hucker
Avatar

Send message
Joined: 6 Oct 06
Posts: 679
United Kingdom
Message 99146 - Posted: 5 Jun 2020, 21:46:58 UTC - in response to Message 99142.  

No, this ends here. Stop baiting, stop reacting to that. Final warning.


I'm not doing any of the above, I was polite.

I made three simple points which are not insulting in any way:

1) A programmer made a mistake.
2) That cost 100,000 people an afternoon of fiddling about.
3) We are also volunteers and we put a lot of money and time into this.
ID: 99146 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 76
United Kingdom
Message 99144 - Posted: 5 Jun 2020, 21:18:40 UTC - in response to Message 99142.  

No, this ends here. Stop baiting, stop reacting to that. Final warning.


My apologies, I will withdraw.
ID: 99144 · Report as offensive
BOINC Moderator
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 10 Mar 20
Posts: 16
Message 99142 - Posted: 5 Jun 2020, 21:08:33 UTC

No, this ends here. Stop baiting, stop reacting to that. Final warning.
ID: 99142 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 76
United Kingdom
Message 99141 - Posted: 5 Jun 2020, 20:57:12 UTC - in response to Message 99134.  

And yet didn't sort it before that date. Utter incompetance. Somebody should have written the expiry date on a calendar for goodness sake. If Boinc was a private company, somebody would now be fired.


Did I hear you volunteering to contribute? Thought not.

When a program is written and maintained by volunteers, accusations of incompetence etc are unlikely to produce any change.

LoL, volunteer just mean "no pay", it doesn't change competence/incompetence status. At all.
Shit happens, but better not in SUCH degree.

EDIT: And I would appreciate concise instructions what to do on my end to solve incompetence (yes, lets call things by their names) on server-end.
And preferably no-BOINC-version-update fix, cause I'm fully aware how many issues I potentially would have changing from checked-to-be-stable to "recommended" one...


Might I suggest that with your attitude your best fix is to turn your computers off.

Why should the volunteers give up their time to give you concise instructions to do a job that no longer needs doing for those who’ve accepted the updated software that you so insultingly refuse to run.


You forget that each and every one of us is also a volunteer, spending a lot of time and money on computers and electricity. This problem, which could have been avoided by someone remembering to update the certificate before it expired, would have saved 100s of 1000s of people a wasted afternoon, and saved the stopping of many important science projects. Perhaps the programmers could pay more attention in future.


Regardless of what has happened and why, there is no possible justification for insulting and foul mouthing the volunteers.
ID: 99141 · Report as offensive
Peter Hucker
Avatar

Send message
Joined: 6 Oct 06
Posts: 679
United Kingdom
Message 99134 - Posted: 5 Jun 2020, 18:21:46 UTC - in response to Message 99105.  

And yet didn't sort it before that date. Utter incompetance. Somebody should have written the expiry date on a calendar for goodness sake. If Boinc was a private company, somebody would now be fired.


Did I hear you volunteering to contribute? Thought not.

When a program is written and maintained by volunteers, accusations of incompetence etc are unlikely to produce any change.

LoL, volunteer just mean "no pay", it doesn't change competence/incompetence status. At all.
Shit happens, but better not in SUCH degree.

EDIT: And I would appreciate concise instructions what to do on my end to solve incompetence (yes, lets call things by their names) on server-end.
And preferably no-BOINC-version-update fix, cause I'm fully aware how many issues I potentially would have changing from checked-to-be-stable to "recommended" one...


Might I suggest that with your attitude your best fix is to turn your computers off.

Why should the volunteers give up their time to give you concise instructions to do a job that no longer needs doing for those who’ve accepted the updated software that you so insultingly refuse to run.


You forget that each and every one of us is also a volunteer, spending a lot of time and money on computers and electricity. This problem, which could have been avoided by someone remembering to update the certificate before it expired, would have saved 100s of 1000s of people a wasted afternoon, and saved the stopping of many important science projects. Perhaps the programmers could pay more attention in future.
ID: 99134 · Report as offensive
BOINC Moderator
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 10 Mar 20
Posts: 16
Message 99131 - Posted: 5 Jun 2020, 13:24:34 UTC

I see it solved itself in the end, but can we please post with a certain level of respect to each other? The attacks, if you feel you need to do them, do so in private message, not in these threads.
Thank you.
ID: 99131 · Report as offensive
Keith T
Avatar

Send message
Joined: 26 Feb 07
Posts: 71
United Kingdom
Message 99130 - Posted: 5 Jun 2020, 12:11:12 UTC - in response to Message 99127.  

Sorry, if that one is a problem, can it be removed as a download ? Or replaced with the latest correct version ?
To explain how GitHub works:

Normally, 'master' has the latest and greatest version. Access to master is controlled, peer-reviewed, and automatically tested - so usually, it's good.

But in this case, because of the urgency of the situation, the priority was to get out a quick'n'dirty fix. So, the best copy (currently) is actually in

https://github.com/BOINC/boinc/tree/client_release/7/7.16/curl (note the date and comment)

But it's slightly difficult to download a single file, so it's easier to make your own file from

https://raw.githubusercontent.com/BOINC/boinc/client_release/7/7.16/curl/ca-bundle.crt


Thanks again Richard !

You are correct that I am a complete newbie at GitHub. I think my mistake was in assuming that something called Master would be the authoritative version !
ID: 99130 · Report as offensive
Raistmer

Send message
Joined: 9 Apr 06
Posts: 242
Message 99129 - Posted: 5 Jun 2020, 11:52:40 UTC - in response to Message 99128.  

The single explanation I have - 2-years-old-files missed some junk that was added later...
Yes, you were probably using a 6-years-old file... ;-)


:D :D :D
very probably :)
ID: 99129 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4145
United Kingdom
Message 99128 - Posted: 5 Jun 2020, 11:50:36 UTC - in response to Message 99126.  

The single explanation I have - 2-years-old-files missed some junk that was added later...
Yes, you were probably using a 6-years-old file... ;-)
ID: 99128 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4145
United Kingdom
Message 99127 - Posted: 5 Jun 2020, 11:49:20 UTC - in response to Message 99123.  

Sorry, if that one is a problem, can it be removed as a download ? Or replaced with the latest correct version ?
To explain how GitHub works:

Normally, 'master' has the latest and greatest version. Access to master is controlled, peer-reviewed, and automatically tested - so usually, it's good.

But in this case, because of the urgency of the situation, the priority was to get out a quick'n'dirty fix. So, the best copy (currently) is actually in

https://github.com/BOINC/boinc/tree/client_release/7/7.16/curl (note the date and comment)

But it's slightly difficult to download a single file, so it's easier to make your own file from

https://raw.githubusercontent.com/BOINC/boinc/client_release/7/7.16/curl/ca-bundle.crt
ID: 99127 · Report as offensive
Raistmer

Send message
Joined: 9 Apr 06
Posts: 242
Message 99126 - Posted: 5 Jun 2020, 11:45:59 UTC - in response to Message 99124.  
Last modified: 5 Jun 2020, 11:46:48 UTC

Hm... at least Rosetta uploaded, downloaded and running again on this host.
Rosetta and LHC have done server-side updates. NumberFields, I suspect, is still broken and has lost a lot of computing power because of this foul-up. I seem to be doing mostly other people's cast-offs at the moment.

I don't understand then... Before local file change host didn't able to connect to (updated?) Rosetta server. After I put 2years-old file in place - it can....

The single explanation I have - 2-years-old-files missed some junk that was added later...
ID: 99126 · Report as offensive
Raistmer

Send message
Joined: 9 Apr 06
Posts: 242
Message 99125 - Posted: 5 Jun 2020, 11:43:30 UTC - in response to Message 99114.  



But watch out for outdated OpenSSL library files, too. Ask separately if you fall foul of those.


This issue stopped few my old Android hosts with NativeBOINC and w/o root rights :/
Still no progress there (and BOINC from Google Play doesn't support those devices either).
ID: 99125 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4145
United Kingdom
Message 99124 - Posted: 5 Jun 2020, 11:41:28 UTC - in response to Message 99121.  

Hm... at least Rosetta uploaded, downloaded and running again on this host.
Rosetta and LHC have done server-side updates. NumberFields, I suspect, is still broken and has lost a lot of computing power because of this foul-up. I seem to be doing mostly other people's cast-offs at the moment.
ID: 99124 · Report as offensive
Keith T
Avatar

Send message
Joined: 26 Feb 07
Posts: 71
United Kingdom
Message 99123 - Posted: 5 Jun 2020, 11:39:36 UTC - in response to Message 99116.  

NO

Try here [url]https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt[/url]
That's the two-year-old one that caused all the trouble in the first place.


Sorry, if that one is a problem, can it be removed as a download ? Or replaced with the latest correct version ?
ID: 99123 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4145
United Kingdom
Message 99122 - Posted: 5 Jun 2020, 11:38:10 UTC - in response to Message 99119.  

Richard, maybe it's updated already?


Check the dates, and read the comments I've put on #3802 this morning.
ID: 99122 · Report as offensive
Raistmer

Send message
Joined: 9 Apr 06
Posts: 242
Message 99121 - Posted: 5 Jun 2020, 11:37:17 UTC - in response to Message 99120.  
Last modified: 5 Jun 2020, 11:38:12 UTC

Well, I't try to extract new file from latest package then report.
I'll save you the trouble: it'll fail.

Master has not yet been updated. There are two contenders for the honour:

https://github.com/BOINC/boinc/pull/3791 (good)
https://github.com/BOINC/boinc/pull/3802 (bad)


Hm... at least Rosetta uploaded, downloaded and running again on this host.
I'm happy and can go back to my ignorance will feelings of completed job, LoL :)

(EDIT E@h project is happy too)
ID: 99121 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4145
United Kingdom
Message 99120 - Posted: 5 Jun 2020, 11:35:55 UTC - in response to Message 99113.  

Well, I't try to extract new file from latest package then report.
I'll save you the trouble: it'll fail.

Master has not yet been updated. There are two contenders for the honour:

https://github.com/BOINC/boinc/pull/3791 (good)
https://github.com/BOINC/boinc/pull/3802 (bad)
ID: 99120 · Report as offensive
Raistmer

Send message
Joined: 9 Apr 06
Posts: 242
Message 99119 - Posted: 5 Jun 2020, 11:33:33 UTC - in response to Message 99116.  
Last modified: 5 Jun 2020, 11:35:56 UTC

NO

Try here [url]https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt[/url]
That's the two-year-old one that caused all the trouble in the first place.


Richard, maybe it's updated already?
At least I experimentally confirmed - connection restored....

EDIT: though, actually I did it in little different way:
1) downloaded zipped source tree
2) extracted
3) found required file
4) came back to web-sources and found link to the same place as in ZIP.
ID: 99119 · Report as offensive
1 · 2 · 3 · 4 . . . 7 · Next

Message boards : Questions and problems : Peer certificate cannot be authenticated with given CA certificates

Copyright © 2020 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.