Not sure if this is a BOINC CA CERTIFICATE ERROR or that it's a PROJECT CA CERTIFICATE ERROR.

Get the following error message across all 6 of my PC's (Windows 8.1, Windows 7, Windows VISTA and Window WINE under Ubuntu) this morning (US time) on TWO projects iThena and WuProp
HTTP error: Peer certificate cannot be authenticated with given CA certificates
Running latest stable BOINC 7.16.11 Windows x64

Happened shortly after 9:00 AM local time (US CENTRAL TIME), Add +5 hours to get UTC TIME OF 14:00

Not sure if it affects any other projects. As far as I can see the SSL Security certificates for the two projects are NOT expired and are current.

Snippet from BOINC STDERR log from my Windows 8.1 PC when trying to send completed work to iThena. Similar error messages when contacting WuProp.

30-Sep-2021 09:02:24 [iThena] Sending scheduler request: To fetch work.
30-Sep-2021 09:02:24 [iThena] Requesting new tasks for CPU
30-Sep-2021 09:02:24 [iThena] [http] HTTP_OP::init_post(): https://root.ithena.net/ithena_cgi/cgi
30-Sep-2021 09:02:24 [iThena] [http] HTTP_OP::libcurl_exec(): ca-bundle set
30-Sep-2021 09:02:24 [iThena] [http] [ID#1] Info: Connection 5660 seems to be dead!
30-Sep-2021 09:02:24 [iThena] [http] [ID#1] Info: Closing connection 5660
30-Sep-2021 09:02:24 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS alert, Client hello (1):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Trying 85.204.27.80...
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Connected to root.ithena.net (85.204.27.80) port 443 (#5663)
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: ALPN, offering http/1.1
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: successfully set certificate verify locations:
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: CAfile: C:\BOINC\ca-bundle.crt
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: CApath: none
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: TLSv1.2 (OUT), TLS alert, Server hello (2):
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: SSL certificate problem: certificate has expired
30-Sep-2021 09:02:25 [iThena] [http] [ID#1] Info: Closing connection 5663
30-Sep-2021 09:02:25 [iThena] [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
30-Sep-2021 09:02:26 [iThena] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates

16:42 UTC EDIT TO ADD>>
BOINC communicates with / Send / Receive tasks from my other two active projects on the pc's Minecraft and PRIVATE GFN with no certificate error messages

I'd suspect it's a BOINC problem. Windows versions of BOINC rely on a 'ca-bundle.crt' file stored in your BOINC program folder, and only updated when a new version is installed. The most recent update to the sources held by BOINC was on May 31, 2020, which should have been included on v7.16.11 (released 2020-09-02) - I'll check.

OK, I got this when attempting to attach to iThena. I expected the attach to fail, because they're not accepting new members: but that would be for the server to say, not SSL.

30/09/2021 18:05:06 |  | Fetching configuration file from https://root.ithena.net/usr/get_project_config.php
30/09/2021 18:05:06 |  | [http] HTTP_OP::init_get(): https://root.ithena.net/usr/get_project_config.php
30/09/2021 18:05:06 |  | [http] HTTP_OP::libcurl_exec(): ca-bundle 'D:\BOINC\ca-bundle.crt'
30/09/2021 18:05:06 |  | [http] HTTP_OP::libcurl_exec(): ca-bundle set
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Connection 2831 seems to be dead!
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Closing connection 2831
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Connection 2832 seems to be dead!
30/09/2021 18:05:06 |  | [http] [ID#2] Info:  Closing connection 2832
30/09/2021 18:05:06 |  | [http] [ID#2] Info:    Trying 85.204.27.80...
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  Connected to root.ithena.net (85.204.27.80) port 443 (#2833)
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  ALPN, offering http/1.1
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  successfully set certificate verify locations:
30/09/2021 18:05:07 |  | [http] [ID#2] Info:    CAfile: D:\BOINC\ca-bundle.crt
30/09/2021 18:05:07 |  | [http] [ID#2] Info:    CApath: none
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (OUT), TLS header, Certificate Status (22):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (OUT), TLS handshake, Client hello (1):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (IN), TLS handshake, Server hello (2):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (IN), TLS handshake, Certificate (11):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  TLSv1.2 (OUT), TLS alert, Server hello (2):
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  SSL certificate problem: certificate has expired
30/09/2021 18:05:07 |  | [http] [ID#2] Info:  Closing connection 2833
30/09/2021 18:05:07 |  | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates

Note "CAfile: D:\BOINC\ca-bundle.crt" (yours is in C:). My BOINC client is also v7.16.11, and the ca-bundle.crt file is dated 31 May 2020.

Checking that ca-bundle.crt is still serviceable is on the Release Manager's checklist for new versions (I put it there), and there's supposed to be a new version to coincide with the release of Windows 11 on October 5. I'd suggest you wait for that release, see whether that cures the problem, and be ready to raise merry hell if it doesn't.

Yes. Let's encrypt has updated their certificated.

The Root is the ISRG Root X1
Valid from 6/4/2015 to 6/4/2035

The intermediate is R3:
‎Thursday, ‎September ‎3, ‎2020 7:00:00 PM
‎Monday, ‎September ‎15, ‎2025 11:00:00 AM

30 82 01 0a 02 82 01 01 00 bb 02 15 28 cc f6 a0 94 d3 0f 12 ec 8d 55 92 c3 f8 82 f1 99 a6 7a 42 88 a7 5d 26 aa b5 2b b9 c5 4c b1 af 8e 6b f9 75 c8 a3 d7 0f 47 94 14 55 35 57 8c 9e a8 a2 39 19 f5 82 3c 42 a9 4e 6e f5 3b c3 2e db 8d c0 b0 5c f3 59 38 e7 ed cf 69 f0 5a 0b 1b be c0 94 24 25 87 fa 37 71 b3 13 e7 1c ac e1 9b ef db e4 3b 45 52 45 96 a9 c1 53 ce 34 c8 52 ee b5 ae ed 8f de 60 70 e2 a5 54 ab b6 6d 0e 97 a5 40 34 6b 2b d3 bc 66 eb 66 34 7c fa 6b 8b 8f 57 29 99 f8 30 17 5d ba 72 6f fb 81 c5 ad d2 86 58 3d 17 c7 e7 09 bb f1 2b f7 86 dc c1 da 71 5d d4 46 e3 cc ad 25 c1 88 bc 60 67 75 66 b3 f1 18 f7 a2 5c e6 53 ff 3a 88 b6 47 a5 ff 13 18 ea 98 09 77 3f 9d 53 f9 cf 01 e5 f5 a6 70 17 14 af 63 a4 ff 99 b3 93 9d dc 53 a7 06 fe 48 85 1d a1 69 ae 25 75 bb 13 cc 52 03 f5 ed 51 a1 8b db 15 02 03 01 00 01


So is there a way to download the new ca-bundle.crt in the interim? October 5th is a longways to go without uploading or downloading WU's. If BOINC is going to force the validity of certificates, then the updated file needs to be made available.

I'll ask. Just had a report, and confirmed, that GPUGrid is affected as well. I seem to remember a previous panic on the last day of some earlier month, as well.

Yes, there was an emergency release of v7.16.7 on 31 May 2020, and the final code change was 'Update CA bundle'.

I'll ask. Just had a report, and confirmed, that GPUGrid is affected as well.

As is CPDN, so I'd expect an earlier update.

Checking https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/ it's the IdentTrust DST Root CA X3 that expired today.

But sites that use Let's Encrypt are the ones having an issue since they updated their chain *after* that emergency release in May of 2020. October 5th is a longways away. That will be a lot of lost work and lost computational time. If you are going to use a certificate bundle that is client based, then updates to it need to be made available before issues start. I believe it is unique to Windows that the client has a local certificate file. Either that needs to be updated when the client checks for updates or an option to launch the client be made available to bypass certificate validation.

Add CPDN to the list.

(sorry, Jord - I was busy replying to the CPDN moderators when you posted)

It's all right, I posted to them as well and will put it on Github.

Edit: and done that, let's wait what the devs say.

Writing to the mailing lists as we speak.

What OpenSSL version does BOINC for Windows show at the beginning of the log?

---

While we wait, it's an easy job to update Windows clients with a new ca-bundle.crt file, when available: you don't even need to stop BOINC (though it might be a good idea to suspend networking while you do it).

To be safe:
Navigate to the BOINC program folder
Rename the old file
Drop in the new one.

And that's it. If it goes wrong, you can return to the old file for the projects that are still accepting it, while the dust settles.

BOINC on Linux and other operating systems uses system security, which is automatically updated when needed. There should be no need to update BOINC separately on those systems.

What OpenSSL version does BOINC for Windows show at the beginning of the log?

OpenSSL/1.0.2s

What OpenSSL version does BOINC for Windows show at the beginning of the log?

OpenSSL/1.0.2s

Okay, so that is the problem. BOINC's ca-bundle.crt has had the new LetsEncrypt X1 certificate since January 2018, so that doesn't need to be updated. But OpenSSL 1.0 sees the X3 certificate expired and gives up, instead of noticing the project's certificate is also signed with X1 which is still valid. The fix is updating to OpenSSL 1.1.

I already mentioned this in 2020 when the AddTrust certificate expired and we had the same problem...

---

That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue.

That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue.

What do you mean by "adding the certificates"? Are you modifying ca-bundle.crt?

---

That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue.

What do you mean by "adding the certificates"? Are you modifying ca-bundle.crt?

Yes.

I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent).

I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent).

Removing it does indeed remediate the issue.

I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent).

Removing it does indeed remediate the issue.

Can someone post a download link to a modified working certificate or what section(s) of the current certificate to edit out.