HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)

Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 · Next

AuthorMessage
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105547 - Posted: 30 Sep 2021, 19:13:58 UTC

Could somebody please post the {full, exact, searchable} name of the certificate that needs to be removed?

Once you have that, it's an easy job to make the change. The certificate bundle is just a plain text file - make a copy, work in a safe space - and change the extension to .txt. Even notepad can handle the job. Just make sure you add or remove complete sections.

I think I may have modified mine last time - I can't find any of the ones that are being mentioned here.
ID: 105547 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105548 - Posted: 30 Sep 2021, 19:17:19 UTC - in response to Message 105547.  

It is the DST X3 portion of the certificate.

Since the developers put what certificate is what, it would be nice if they added the expiration date as well. It would help them since they could also see what certificates are going to be invalid in the future.
ID: 105548 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105549 - Posted: 30 Sep 2021, 19:32:54 UTC - in response to Message 105548.  

You mean this one?



Searching for 'DST X3' didn't find anything.
ID: 105549 · Report as offensive     Reply Quote
lanbrown

Send message
Joined: 30 Sep 21
Posts: 7
Message 105550 - Posted: 30 Sep 2021, 19:41:54 UTC - in response to Message 105549.  

You mean this one?



Searching for 'DST X3' didn't find anything.


That's the one that is expired.
ID: 105550 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105551 - Posted: 30 Sep 2021, 19:42:53 UTC - in response to Message 105549.  

OK, that worked. I removed the one I showed you, between these two scheduler requests:

30/09/2021 18:52:19 | GPUGRID | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
30/09/2021 20:38:59 | GPUGRID | Scheduler request completed: got 1 new tasks

Unless they've done something to their server, too ;-)
ID: 105551 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105552 - Posted: 30 Sep 2021, 19:48:19 UTC

AT YOUR OWN RISK

Google drive

Make a safe copy of your old one, just in case.
ID: 105552 · Report as offensive     Reply Quote
Dr Who Fan
Avatar

Send message
Joined: 10 May 07
Posts: 755
United States
Message 105556 - Posted: 30 Sep 2021, 22:02:12 UTC - in response to Message 105552.  

AT YOUR OWN RISK

Google drive

Make a safe copy of your old one, just in case.

Works for me.. Downloaded and copied to BOINC program folder replacing old certificate.
ID: 105556 · Report as offensive     Reply Quote
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 105557 - Posted: 30 Sep 2021, 22:52:01 UTC

In addition to the workaround of removing the expired certificate from ca-bundle, it seems projects can also work around this by using certbot --preferred-chain "ISRG Root X1" when getting their letsencrypt certificate, this gives compatibility with old OpenSSL (while breaking compatibility with old Android).

The real fix is still to upgrade OpenSSL, but devs told me it won't be quick :)
ID: 105557 · Report as offensive     Reply Quote
Profile Bill Freauff
Avatar

Send message
Joined: 26 Mar 11
Posts: 85
United States
Message 105558 - Posted: 30 Sep 2021, 23:19:13 UTC

Another Project effected .... WUprop

Bill F
ID: 105558 · Report as offensive     Reply Quote
Dr Who Fan
Avatar

Send message
Joined: 10 May 07
Posts: 755
United States
Message 105559 - Posted: 1 Oct 2021, 0:40:33 UTC - in response to Message 105558.  

Another Project effected .... WUprop


I mentioned Two projects WuProp & iTherna in my original post that started this topic.
ID: 105559 · Report as offensive     Reply Quote
brucemoreg

Send message
Joined: 1 Oct 21
Posts: 2
Message 105560 - Posted: 1 Oct 2021, 4:29:05 UTC
Last modified: 1 Oct 2021, 4:29:50 UTC

Others projects affected:
Amicable Numbers
SiDock@home

(which were fixed using the updated certificate :)
ID: 105560 · Report as offensive     Reply Quote
boboviz
Help desk expert

Send message
Joined: 12 Feb 11
Posts: 394
Italy
Message 105563 - Posted: 1 Oct 2021, 7:34:09 UTC - in response to Message 105525.  

Checking that ca-bundle.crt is still serviceable is on the Release Manager's checklist for new versions (I put it there), and there's supposed to be a new version to coincide with the release of Windows 11 on October 5.


Do you plan to release a new windows client next week?
ID: 105563 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105564 - Posted: 1 Oct 2021, 7:45:46 UTC - in response to Message 105563.  

Do you plan to release a new windows client next week?
I no longer have that responsibility - they took it away from me after one trial run with v7.10 in 2018.

So far as I can see, the current Release Manager (who is based in California, in the PDT time zone) has not yet responded to the emergence of this problem, on any of the channels I can monitor.
ID: 105564 · Report as offensive     Reply Quote
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14774
Netherlands
Message 105566 - Posted: 1 Oct 2021, 7:52:56 UTC - in response to Message 105564.  

I don't see any movement or sense of urgency at the development stage.
ID: 105566 · Report as offensive     Reply Quote
Profile Dave

Send message
Joined: 28 Jun 10
Posts: 1500
United Kingdom
Message 105567 - Posted: 1 Oct 2021, 9:20:39 UTC - in response to Message 105552.  

AT YOUR OWN RISK

Google drive

Make a safe copy of your old one, just in case.


Done the replacement on my WINE installation but didn't actually confirm it was affected as not currently running.
ID: 105567 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105570 - Posted: 1 Oct 2021, 10:20:20 UTC - in response to Message 105567.  

Done the replacement on my WINE installation but didn't actually confirm it was affected as not currently running.
You can do a simple 'project update', from either BOINC Manager or boinccmd, to verify that. The Event Log will show either 'failed' with the expired certificate in the bundle, or 'completed' with it removed.

The bad certificate blocks all https communication between client and server, not just uploads.
ID: 105570 · Report as offensive     Reply Quote
Dirk Broer

Send message
Joined: 19 Jun 10
Posts: 16
British Virgin Islands
Message 105572 - Posted: 1 Oct 2021, 11:33:14 UTC - in response to Message 105566.  

Jord:
I don't see any movement or sense of urgency at the development stage.

Richard:
The bad certificate blocks all https communication between client and server, not just uploads.


I see a very high urgency at the development stage is needed

ID: 105572 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105573 - Posted: 1 Oct 2021, 11:37:50 UTC - in response to Message 105572.  

I see a very high urgency at the development stage is needed
So do we, but unfortunately it's the middle of the night in California. Fixing this one requires tools only available to authorised users - probably employees only - of the University of California in Berkeley.

I hope someone with the appropriate contacts can kick the relevant people out of bed when the sun rises.
ID: 105573 · Report as offensive     Reply Quote
Dennis Menace

Send message
Joined: 1 Oct 21
Posts: 2
Greece
Message 105574 - Posted: 1 Oct 2021, 12:56:14 UTC - in response to Message 105573.  
Last modified: 1 Oct 2021, 12:58:15 UTC

@Richard Haselgrove your updated certificate work like a charm, except for WCG it worked for a short while and now......
(Time zone GMT+3)

10/1/2021 3:39:47 PM | World Community Grid | update requested by user
10/1/2021 3:39:48 PM | World Community Grid | Sending scheduler request: Requested by user.
10/1/2021 3:39:48 PM | World Community Grid | Not requesting tasks: don't need (CPU: not highest priority project; AMD/ATI GPU: not highest priority project)
10/1/2021 3:39:50 PM | World Community Grid | Scheduler request failed: HTTP service unavailable

seems like they changed something shortly after we made changes
ID: 105574 · Report as offensive     Reply Quote
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 4642
United Kingdom
Message 105575 - Posted: 1 Oct 2021, 13:04:30 UTC - in response to Message 105574.  

Yes, they had an unplanned outage:

Greetings,

We are experiencing an outage that has caused us to stop issuing new work or receiving completed work back from the volunteers.

We apologize for the issue and are working to restoring normal service as soon as possible.
https://www.worldcommunitygrid.org/forums/wcg/viewthread_thread,43772
ID: 105575 · Report as offensive     Reply Quote
Previous · 1 · 2 · 3 · 4 · 5 · Next

Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)

Copyright © 2021 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.