Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)
Message board moderation
Previous · 1 · 2 · 3 · 4 · 5 · Next
Author | Message |
---|---|
Send message Joined: 30 Mar 20 Posts: 419 |
No problems on WCG when it comes to the ca-bundle.crt issue. WCG is my only project, so I'm not taking any action for now. |
Send message Joined: 5 Oct 06 Posts: 5129 |
Of course. Only mess around with your installation if you have identified that you have the type of problem being described here. |
Send message Joined: 7 Aug 21 Posts: 6 |
Project RNA World is also affected. |
Send message Joined: 29 Aug 08 Posts: 10 |
Does anyone know when the new version will be available? Thanks! |
Send message Joined: 27 Jun 08 Posts: 641 |
Ubuntu with 7.16.11 did not have problem with certificate but 7.16.11 on windows 10 did. Removing the expired certificate "dst ca x3" from windows store had no effect so I put it back into that store. Removing from ca-bundle.crt worked fine for gpugrid. No warning about the cert but did not get a work unit as none avaialble |
Send message Joined: 5 Oct 06 Posts: 5129 |
That's what we've been saying from the beginning - and we said it in May last year, too, when the same thing happened for the same reason. BOINC on Windows relies entirely on private files, which are distributed by the Windows BOINC installer. It doesn't leverage the resources of any other software installed on the same instance of Windows. This has two consequences at the moment: 1) certificates stored in BOINC's copy of ca-bundle.crt can expire between releases - as one did last week. 2) BOINC can't communicate securely when there is an expired certificate present, because the old version of the security software being used has a bug in it that prevents the search for a usable certificate proceeding past the roadblock caused by the expired certificate. That software can't be upgraded in the field. To answer the previous question: no, we have no idea when work will even start on a new release, let alone when it will be tested and ready. There has been total silence on this subject from UC Berkeley. The volunteer initiative which seemed promising yesterday morning has petered out with no further progress. |
Send message Joined: 29 Aug 05 Posts: 15564 |
Checking the validity of other certs in ca-bundle.crt I see that GlobalSign Root CA - R2 is valid till December 15, 2021 (Source) GeoTrust Global CA expires May 2022 (Source) QuoVadis Root CA seems to have expired already (Source) Security Communication Root CA I cannot find. Sonera Class 2 Root CA seems to have expired (Source) I don't have time now to check all, will continue later. |
Send message Joined: 26 Mar 11 Posts: 192 |
Mentioned earlier in this tread .. was SSL versions considerations. I am seeing this error on the CPDN forum ? Coincidence or part of same issue ? Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /home/boinc/cpdnboinc/html/inc/header.inc on line 9 Thanks Bill F |
Send message Joined: 19 Jan 07 Posts: 1179 |
Mentioned earlier in this tread .. was SSL versions considerations. Yeah probably same issue. Their server is affected by the same problem as the BOINC client. |
Send message Joined: 29 Aug 08 Posts: 10 |
To answer the previous question: no, we have no idea when work will even start on a new release, let alone when it will be tested and ready. There has been total silence on this subject from UC Berkeley. The volunteer initiative which seemed promising yesterday morning has petered out with no further progress. So if I want a fix, the only reliable way at the moment is to manually change the security certificate? |
Send message Joined: 5 Oct 06 Posts: 5129 |
Signs of life - we have a v7.16.20 release branch since 4 hours ago. That should be the beginnings of an emergency Windows release, but the final assembly will have to be done in Berkeley. I doubt it'll be available for download in Europe before tomorrow. @ drghughes - look back through this thread for certificate download links. There are two: my amateur hack, and an official download site for a reliable version. Either will do - you don't have to edit the file yourself, just drop the replacement (renamed in the latter case) into your BOINC program location. |
Send message Joined: 29 Aug 08 Posts: 10 |
@ drghughes - look back through this thread for certificate download links. There are two: my amateur hack, and an official download site for a reliable version. Either will do - you don't have to edit the file yourself, just drop the replacement (renamed in the latter case) into your BOINC program location. Thanks Richard! I have bitten the bullet and fortunately all has gone okay. |
Send message Joined: 5 Oct 06 Posts: 5129 |
Well, I've downloaded the new v7.16.20 branch, and compiled it under VS2013: it's running, and it can connect to the sites which were blocked on Thursday. 04/10/2021 11:55:04 | | Version change (7.16.16 -> 7.16.20) But it's still using the old version of OpenSSL, so we're storing up a third round of this type of error for the future. 04/10/2021 11:55:02 | | Libraries: libcurl/7.42.1 OpenSSL/1.0.2s zlib/1.2.8 Better than nothing, but I'll report back to the developers. |
Send message Joined: 29 Aug 05 Posts: 15564 |
Continuing the search (but keeping in mind I can only post 4 URLs). DigiCert High Assurance EV Root CA looks like its first expiration date is 2021-11-04 (Source) DST Root CA X3 is our current culprit. VeriSign Class 3 Public Primary Certification Authority - G5 has a first next expiration date of 2021-11-07 23:59:59 UTC but many after that till 2035 and further, so it may not be a problem (Source) Cybertrust Global Root looks like it has a first next expiration date of 2021-12-15 08:00:00 UTC (Source) One third of the certs checked. If anyone wants to dive in, next on the list is GlobalSign Root CA - R3 and I check them at https://ssl-tools.net/certificates |
Send message Joined: 5 Oct 06 Posts: 5129 |
I've got another way of checking those certs, but I've lost the simple bit of code I wrote to help with the process. I'll try to re-write it, and assemble a full reference list of the certificates in the new bundle. But it may not be ready until tomorrow. |
Send message Joined: 30 Mar 20 Posts: 419 |
Correct me if I'm wrong, but one doesn't have to install the new version, when it's available for Windows. Just ripping out the updated ca-bundle.crt file from the installer, and dropping it into the BOINC folder, replacing the old one should be enough. |
Send message Joined: 29 Aug 05 Posts: 15564 |
Well, technically maybe. But not if you're using a very old version of BOINC because you can't let go of old stuff. Because then parts of that (curl, OpenSSL) are way too old and like a sieve when it comes to security to reliably use it. |
Send message Joined: 30 Mar 20 Posts: 419 |
V 7.16.7 should be a sufficiently modern version I believe. |
Send message Joined: 5 Oct 06 Posts: 5129 |
Ripping a single file out of the installer isn't as easy as it sounds - it isn't a standard archive. Much easier (and quicker) to use the download link from curl, and drop it in from there. It's the same file. |
Send message Joined: 5 Oct 06 Posts: 5129 |
V 7.16.7 should be a sufficiently modern version I believe.If you're as close as that, why not go the whole hog and update? |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.