HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)

Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 · Next

AuthorMessage
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105604 - Posted: 2 Oct 2021, 15:21:30 UTC

A volunteer developer is working on creating an emergency release (take a bow, Vitalii).

The new release will contain a fresh certificate bundle, sourced from a genuine and reliable public source: https://curl.se/docs/caextract.html

You will need to rename cacert.pem to ca-bundle.crt, but it works with some of the projects that were having problems on Thursday (I haven't checked them all). If you feel nervous about downloading amateur hacks like mine, feel free to download from there instead.
ID: 105604 · Report as offensive
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 150
Sweden
Message 105605 - Posted: 2 Oct 2021, 16:01:53 UTC

No problems on WCG when it comes to the ca-bundle.crt issue. WCG is my only project, so I'm not taking any action for now.
ID: 105605 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105606 - Posted: 2 Oct 2021, 16:14:01 UTC - in response to Message 105605.  

Of course. Only mess around with your installation if you have identified that you have the type of problem being described here.
ID: 105606 · Report as offensive
milesrf

Send message
Joined: 7 Aug 21
Posts: 2
United States
Message 105612 - Posted: 3 Oct 2021, 15:00:50 UTC

Project RNA World is also affected.
ID: 105612 · Report as offensive
drghughes

Send message
Joined: 29 Aug 08
Posts: 10
Australia
Message 105614 - Posted: 3 Oct 2021, 16:22:23 UTC

Does anyone know when the new version will be available?

Thanks!
ID: 105614 · Report as offensive
Profile Joseph Stateson
Volunteer tester
Avatar

Send message
Joined: 27 Jun 08
Posts: 611
United States
Message 105615 - Posted: 3 Oct 2021, 16:32:06 UTC

Ubuntu with 7.16.11 did not have problem with certificate but 7.16.11 on windows 10 did.
Removing the expired certificate "dst ca x3" from windows store had no effect so I put it back into that store.
Removing from ca-bundle.crt worked fine for gpugrid. No warning about the cert but did not get a work unit as none avaialble
ID: 105615 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105617 - Posted: 3 Oct 2021, 17:26:52 UTC - in response to Message 105615.  

That's what we've been saying from the beginning - and we said it in May last year, too, when the same thing happened for the same reason.

BOINC on Windows relies entirely on private files, which are distributed by the Windows BOINC installer. It doesn't leverage the resources of any other software installed on the same instance of Windows.

This has two consequences at the moment:

1) certificates stored in BOINC's copy of ca-bundle.crt can expire between releases - as one did last week.
2) BOINC can't communicate securely when there is an expired certificate present, because the old version of the security software being used has a bug in it that prevents the search for a usable certificate proceeding past the roadblock caused by the expired certificate. That software can't be upgraded in the field.

To answer the previous question: no, we have no idea when work will even start on a new release, let alone when it will be tested and ready. There has been total silence on this subject from UC Berkeley. The volunteer initiative which seemed promising yesterday morning has petered out with no further progress.
ID: 105617 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15068
Netherlands
Message 105618 - Posted: 3 Oct 2021, 18:04:18 UTC

Checking the validity of other certs in ca-bundle.crt I see that GlobalSign Root CA - R2 is valid till December 15, 2021 (Source)

GeoTrust Global CA expires May 2022 (Source)

QuoVadis Root CA seems to have expired already (Source)

Security Communication Root CA I cannot find.

Sonera Class 2 Root CA seems to have expired (Source)

I don't have time now to check all, will continue later.
ID: 105618 · Report as offensive
Profile Bill Freauff
Avatar

Send message
Joined: 26 Mar 11
Posts: 130
United States
Message 105620 - Posted: 4 Oct 2021, 1:25:37 UTC

Mentioned earlier in this tread .. was SSL versions considerations.

I am seeing this error on the CPDN forum ? Coincidence or part of same issue ?

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /home/boinc/cpdnboinc/html/inc/header.inc on line 9

Thanks
Bill F
ID: 105620 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 105621 - Posted: 4 Oct 2021, 1:45:56 UTC - in response to Message 105620.  

Mentioned earlier in this tread .. was SSL versions considerations.

I am seeing this error on the CPDN forum ? Coincidence or part of same issue ?

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /home/boinc/cpdnboinc/html/inc/header.inc on line 9

Yeah probably same issue. Their server is affected by the same problem as the BOINC client.
ID: 105621 · Report as offensive
drghughes

Send message
Joined: 29 Aug 08
Posts: 10
Australia
Message 105622 - Posted: 4 Oct 2021, 6:21:09 UTC - in response to Message 105617.  

To answer the previous question: no, we have no idea when work will even start on a new release, let alone when it will be tested and ready. There has been total silence on this subject from UC Berkeley. The volunteer initiative which seemed promising yesterday morning has petered out with no further progress.


So if I want a fix, the only reliable way at the moment is to manually change the security certificate?
ID: 105622 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105626 - Posted: 4 Oct 2021, 8:59:44 UTC

Signs of life - we have a v7.16.20 release branch since 4 hours ago. That should be the beginnings of an emergency Windows release, but the final assembly will have to be done in Berkeley. I doubt it'll be available for download in Europe before tomorrow.

@ drghughes - look back through this thread for certificate download links. There are two: my amateur hack, and an official download site for a reliable version. Either will do - you don't have to edit the file yourself, just drop the replacement (renamed in the latter case) into your BOINC program location.
ID: 105626 · Report as offensive
drghughes

Send message
Joined: 29 Aug 08
Posts: 10
Australia
Message 105627 - Posted: 4 Oct 2021, 9:26:19 UTC - in response to Message 105626.  

@ drghughes - look back through this thread for certificate download links. There are two: my amateur hack, and an official download site for a reliable version. Either will do - you don't have to edit the file yourself, just drop the replacement (renamed in the latter case) into your BOINC program location.


Thanks Richard! I have bitten the bullet and fortunately all has gone okay.
ID: 105627 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105628 - Posted: 4 Oct 2021, 11:02:37 UTC

Well, I've downloaded the new v7.16.20 branch, and compiled it under VS2013: it's running, and it can connect to the sites which were blocked on Thursday.

04/10/2021 11:55:04 | | Version change (7.16.16 -> 7.16.20)

But it's still using the old version of OpenSSL, so we're storing up a third round of this type of error for the future.

04/10/2021 11:55:02 | | Libraries: libcurl/7.42.1 OpenSSL/1.0.2s zlib/1.2.8

Better than nothing, but I'll report back to the developers.
ID: 105628 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15068
Netherlands
Message 105629 - Posted: 4 Oct 2021, 12:12:34 UTC - in response to Message 105618.  

Continuing the search (but keeping in mind I can only post 4 URLs).

DigiCert High Assurance EV Root CA looks like its first expiration date is 2021-11-04 (Source)

DST Root CA X3 is our current culprit.

VeriSign Class 3 Public Primary Certification Authority - G5 has a first next expiration date of 2021-11-07 23:59­:59 UTC but many after that till 2035 and further, so it may not be a problem (Source)

Cybertrust Global Root looks like it has a first next expiration date of 2021-12-15 08:00­:00 UTC (Source)

One third of the certs checked. If anyone wants to dive in, next on the list is GlobalSign Root CA - R3 and I check them at https://ssl-tools.net/certificates
ID: 105629 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105630 - Posted: 4 Oct 2021, 13:20:25 UTC - in response to Message 105629.  

I've got another way of checking those certs, but I've lost the simple bit of code I wrote to help with the process. I'll try to re-write it, and assemble a full reference list of the certificates in the new bundle. But it may not be ready until tomorrow.
ID: 105630 · Report as offensive
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 150
Sweden
Message 105631 - Posted: 4 Oct 2021, 14:22:09 UTC

Correct me if I'm wrong, but one doesn't have to install the new version, when it's available for Windows.
Just ripping out the updated ca-bundle.crt file from the installer, and dropping it into the BOINC folder, replacing the old one should be enough.
ID: 105631 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15068
Netherlands
Message 105632 - Posted: 4 Oct 2021, 14:40:42 UTC - in response to Message 105631.  

Well, technically maybe. But not if you're using a very old version of BOINC because you can't let go of old stuff. Because then parts of that (curl, OpenSSL) are way too old and like a sieve when it comes to security to reliably use it.
ID: 105632 · Report as offensive
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 150
Sweden
Message 105633 - Posted: 4 Oct 2021, 14:43:18 UTC

V 7.16.7 should be a sufficiently modern version I believe.
ID: 105633 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4825
United Kingdom
Message 105634 - Posted: 4 Oct 2021, 14:43:44 UTC - in response to Message 105631.  

Ripping a single file out of the installer isn't as easy as it sounds - it isn't a standard archive. Much easier (and quicker) to use the download link from curl, and drop it in from there. It's the same file.
ID: 105634 · Report as offensive
Previous · 1 · 2 · 3 · 4 · 5 · Next

Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)

Copyright © 2022 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.