Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)
Message board moderation
Previous · 1 · 2 · 3 · 4 · 5 · Next
Author | Message |
---|---|
Send message Joined: 5 Oct 06 Posts: 5129 |
Could somebody please post the {full, exact, searchable} name of the certificate that needs to be removed? Once you have that, it's an easy job to make the change. The certificate bundle is just a plain text file - make a copy, work in a safe space - and change the extension to .txt. Even notepad can handle the job. Just make sure you add or remove complete sections. I think I may have modified mine last time - I can't find any of the ones that are being mentioned here. |
Send message Joined: 30 Sep 21 Posts: 7 |
It is the DST X3 portion of the certificate. Since the developers put what certificate is what, it would be nice if they added the expiration date as well. It would help them since they could also see what certificates are going to be invalid in the future. |
Send message Joined: 5 Oct 06 Posts: 5129 |
You mean this one? Searching for 'DST X3' didn't find anything. |
Send message Joined: 30 Sep 21 Posts: 7 |
You mean this one? That's the one that is expired. |
Send message Joined: 5 Oct 06 Posts: 5129 |
OK, that worked. I removed the one I showed you, between these two scheduler requests: 30/09/2021 18:52:19 | GPUGRID | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates 30/09/2021 20:38:59 | GPUGRID | Scheduler request completed: got 1 new tasks Unless they've done something to their server, too ;-) |
Send message Joined: 5 Oct 06 Posts: 5129 |
|
Send message Joined: 10 May 07 Posts: 1444 |
AT YOUR OWN RISK Works for me.. Downloaded and copied to BOINC program folder replacing old certificate. |
Send message Joined: 19 Jan 07 Posts: 1179 |
In addition to the workaround of removing the expired certificate from ca-bundle, it seems projects can also work around this by using certbot --preferred-chain "ISRG Root X1" when getting their letsencrypt certificate, this gives compatibility with old OpenSSL (while breaking compatibility with old Android). The real fix is still to upgrade OpenSSL, but devs told me it won't be quick :) |
Send message Joined: 26 Mar 11 Posts: 192 |
Another Project effected .... WUprop Bill F |
Send message Joined: 10 May 07 Posts: 1444 |
Another Project effected .... WUprop I mentioned Two projects WuProp & iTherna in my original post that started this topic. |
Send message Joined: 1 Oct 21 Posts: 3 |
Others projects affected: Amicable Numbers SiDock@home (which were fixed using the updated certificate :) |
Send message Joined: 12 Feb 11 Posts: 419 |
Checking that ca-bundle.crt is still serviceable is on the Release Manager's checklist for new versions (I put it there), and there's supposed to be a new version to coincide with the release of Windows 11 on October 5. Do you plan to release a new windows client next week? |
Send message Joined: 5 Oct 06 Posts: 5129 |
Do you plan to release a new windows client next week?I no longer have that responsibility - they took it away from me after one trial run with v7.10 in 2018. So far as I can see, the current Release Manager (who is based in California, in the PDT time zone) has not yet responded to the emergence of this problem, on any of the channels I can monitor. |
Send message Joined: 29 Aug 05 Posts: 15564 |
I don't see any movement or sense of urgency at the development stage. |
Send message Joined: 28 Jun 10 Posts: 2703 |
AT YOUR OWN RISK Done the replacement on my WINE installation but didn't actually confirm it was affected as not currently running. |
Send message Joined: 5 Oct 06 Posts: 5129 |
Done the replacement on my WINE installation but didn't actually confirm it was affected as not currently running.You can do a simple 'project update', from either BOINC Manager or boinccmd, to verify that. The Event Log will show either 'failed' with the expired certificate in the bundle, or 'completed' with it removed. The bad certificate blocks all https communication between client and server, not just uploads. |
Send message Joined: 19 Jun 10 Posts: 17 |
Jord: I don't see any movement or sense of urgency at the development stage. Richard: The bad certificate blocks all https communication between client and server, not just uploads. I see a very high urgency at the development stage is needed |
Send message Joined: 5 Oct 06 Posts: 5129 |
I see a very high urgency at the development stage is neededSo do we, but unfortunately it's the middle of the night in California. Fixing this one requires tools only available to authorised users - probably employees only - of the University of California in Berkeley. I hope someone with the appropriate contacts can kick the relevant people out of bed when the sun rises. |
Send message Joined: 1 Oct 21 Posts: 2 |
@Richard Haselgrove your updated certificate work like a charm, except for WCG it worked for a short while and now...... (Time zone GMT+3) 10/1/2021 3:39:47 PM | World Community Grid | update requested by user 10/1/2021 3:39:48 PM | World Community Grid | Sending scheduler request: Requested by user. 10/1/2021 3:39:48 PM | World Community Grid | Not requesting tasks: don't need (CPU: not highest priority project; AMD/ATI GPU: not highest priority project) 10/1/2021 3:39:50 PM | World Community Grid | Scheduler request failed: HTTP service unavailable seems like they changed something shortly after we made changes |
Send message Joined: 5 Oct 06 Posts: 5129 |
Yes, they had an unplanned outage: Greetings,https://www.worldcommunitygrid.org/forums/wcg/viewthread_thread,43772 |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.